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WORLDCOM  USERS  ASK, ‘WHAT  IF...?' 


Diversification,  backup 
planning  come  to  fore 


BY  PATRICK  THIBODEAU 

WASHINGTON 

The  contingency  planning  that 
IT  manager  Barry  Brunetto  de- 


veloped  for  his  company, 
Blount  International  Inc.,  cov¬ 
ers  a  lot  of  scenarios,  including 
failed  circuits  and  earthquakes. 
But  he  never  imagined  that  a 
company  of  WorldCom  Inc.’s 
stature  could  be  a  disaster,  and 
Brunetto  is  now  looking  for  a 


safety  net  for  his  data  services. 
He’s  not  alone. 

Brunetto,  the  Portland,  Ore.- 
based  director  of  information 
systems  at  the  sporting  goods 
and  power  equipment  maker, 
thought  he  had  a  viable  busi¬ 
ness-contingency  protection 
strategy  in  place:  restricting 
business  agreements  to  “Tier 
1”  companies  —  the  most  reli¬ 
able  ones.  That  was  then. 

“One  of  the  reasons  we  deal 
with  Tier  1  vendors  is  the  sta- 
WorldCom,  page  16 


WORLDCOM  WATCH 

For  comprehensive  coverage  of  World¬ 
Com  developments,  visit  our  Web  site. 

I  \  QuickLink:  a2310 
\  /  www.computerworld.com 


WAR  ON  TERROR 
AIDS  IT  MARKET 

Vendors  vie  for  piece  of 
homeland  security  pie 


BY  DAN  VERTON 

The  war  on  terrorism  is  fueling 
a  much-needed  economic 
boost  of  the  IT  market,  accord¬ 
ing  to  analysts  and  corporate 
executives.  And  slump-weary 
vendors  are  scrambling  for  a 
piece  of  the  action. 

Of  the  $38  billion  earmarked 
for  homeland  security  in  the 
Bush  administration’s  fiscal 
2003  budget  proposal,  as  much 


as  $6.5  billion  could  be  spent 
on  new  cybersecurity  pro¬ 
grams,  estimated  John  Pesca- 
tore,  an  analyst  at  Stamford, 
Conn.-based  Gartner  Inc. 

The  potential  windfall  has 
many  traditional  IT  companies 
expanding  their  offerings  from 
strictly  commercial  applica¬ 
tions  to  encompass  homeland 
security. 

The  Bush  administration's 
focus  on  using  the  nation’s  IT 
brain  trust  to  tackle  homeland 
security  has  attracted  a  wide 
range  of  mainstream  IT  com¬ 
panies,  such  as  American  M  u- 
agement  Systems  Inc.,  TEM 
MicroStrategy  Inc.,  Orac'e 
Corp.,  Symbol  Techn><..\ 
War  on  Terror  o-x.-- 
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Can  your  software  help  keep  your  business  up  and  running  no  matter  what? 

Ours  can. 


Your  company's  infrastructure  is  far  too  important  to  risk.  That's  why  our  full  range  of  business  continuity  solutions  ensures  you're 
able  to  handle  anything.  BrightStor™  storage  solutions  provide  the  most  comprehensive  data  backup  and  recovery.  eTrust™  security 
solutions  provide  total  protection  for  your  entire  enterprise,  not  just  pieces.  And  Unicenter®  infrastructure  software  keeps  your  whole 
business  up  and  running  24x7.  As  your  business  grows  and  becomes  more  complex,  you  need  software  solutions  you  can  rely  on. 
You  may  still  not  know  what's  coming.  But  you  will  know  you're  prepared.  ca.com/continuity 
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6  Southwest  Airlines  navigates  a 
turbulent  post-Sept.  11  travel  mar¬ 
ket  with  the  help  of  business  intel¬ 
ligence  software. 

7  Novell’s  road  map  for  directory 
services  spotlights  a  plan  to  extend 
identity  management  to  Web  ser¬ 
vices  technologies. 
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Microsoft  in  the  messaging  market, 
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The  Importance  of  ROI 

How  critical  are  ROI  analyses  in  your 
work?  Check  out  a  reader’s  inquiry  in 
our  online  discussion  forum. 

QuickLink:  a2320 


What’s  a  QuickLink? 

On  some  pages  in  this  issue,  you’ll  see 
a  QuickLink  code  pointing  to  addi¬ 
tional,  related  content  on  our  Web 
site.  Just  enter  that  code  into  our 
QuickLink  box  online,  which  you’ll 
see  at  the  top  of  each  page  on  our  site. 
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23  The  Security 
Action  Plan 


EDITOR’S  NOTE:  Today’s  IT  security 
crisis  is  every  bit  as  big  as  the  Y2k 
problem  —  except  that  it  doesn’t  have  an  immov¬ 
able  deadline.  This  special  report  provides  a  to-do 
list  that  ranges  from  managing  patches  and  assem¬ 
bling  an  incident  response  team  to  securing 
wireless  LANs. 


34  Let  the  Pros  Investigate  Forensics  is  a  specialized 
discipline  that’s  fast  becoming  mandatory  for  compa¬ 
nies  that  need  to  show  that  computer  crimes  don’t  go 
unsolved  or  unpunished. 

ONLINE:  Assisting  in  a  forensics  investigation  can  be  a 
complicated  business,  but  there  are  resources  available 

to  help.  QuickLink:  30849 

36  Watch  Out  for  Wireless  Rogues  Enterprise  it 

managers  need  to  develop  comprehensive  wireless  LAN 
management  policies  in  order  to  battle  the  proliferation 
of  rogue  access  points. 

ONLINE:  Three  products  for  detecting  unauthorized  ac¬ 
cess  points  on  wireless  LANs.  QuickLink:  30856 


25  The  Story  So  Far  a  fast-paced  history  of  IT  secu¬ 
rity  and  disaster  recovery,  in  which  our  IT  heroes  do 
battle  against  trapdoors,  the  Morris  worm,  Russian 
hackers,  power  outages  and  even  earthquakes  and 
hurricanes. 


26  ROI:  Like  every  other  kind 
of  IT  investment,  security  proj¬ 
ects  must  demonstrate  their 
business  value.  Here’s  a  step- 
by-step  guide  to  cutting  costs 
and  getting  the  greatest  returns. 

28  Manage  Those  Patches! 

New  security  software  is  mak¬ 
ing  it  easier  to  distribute  and 
test  patches.  But  finding  a  fast  and  reliable  way  to  iden¬ 
tify  new  patches  and  prioritize  installation  remains  elu¬ 
sive  and  costly  for  companies. 

ONLINE:  When  it  comes  to  a  complete  product  for  patch 
management,  no  single  vendor  meets  all  the 
needs  of  most  IT  buyers.  QuickLink:  30913 


38  Put  Your  IT  Eggs  in 
Different  Baskets  Learn  about 
four  approaches  that  major  compa¬ 
nies  are  using  to  quickly  recover  or 
even  seamlessly  continue  doing 
business  when  disaster  strikes. 
ONLINE:  Before  a  particular  system 
goes  down,  determine  the  impact  it  will  have  on  people, 
technology  and  processes.  QuickLink:  30853 

40  QuickStudy:  Denial-of-service  attacks  are  an  old 
problem,  but  a  few  new  twists  make  them  even  nastier. 

43  Opinion:  The  way  to  thwart  cyberterrorists  is  to 
stay  one  step  ahead  of  them  in  finding  vulnerabilities, 
says  columnist  Nicholas  Petreley. 

44  Field  Report:  Virtual  private  networks  are  useful 
security  tools  that  have  gained  a  reputation  for  being 
difficult  to  implement  and  manage.  But  today’s  VPN 
offerings  go  a  long  way  toward  ease  of  use. 

46  Careers:  A  roundup  of  skills,  training  and  salary  in- 
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32  Build  a  Response  Team  a  computer 

incident  response  team’s  mission  is  to  or¬ 
chestrate  a  speedy  and  organized  company¬ 
wide  response  to  a  threat.  While  the  goals 
of  most  CIRTs  are  the  same,  there  are  dif¬ 
ferent  approaches  to  assembling  the  team. 


formation  for  IT  security  professionals. 
ONLINE:  One  security  engineer  offers  his 
tips  for  staying  a  step  ahead  of  the  hack¬ 
er  community.  QuickLink:  30925 

47  The  Next  Chapter  Pundits  predict 
the  rise  of  “security  malpractice”  lawr- 
suits,  federal  security  audits  and  slug¬ 
gish  growth  for  smart  cards. 
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IBM  EXEC  TALKS  ABOUT 
HOT  SECURITY  TRENOS 

The  security  head  at  IBM  Global 
Services  describes  services  in  de¬ 
mand,  the  future  of  biometrics  and 
IBM’s  work  on  intelligence  sharing. 

QuickLink:  31111 


IT  SECURITY 
CASE  STUDIES 


How  IT  managers  deal  with  chal¬ 
lenges  such  as  recovering  from 
laptop  crashes  and  monitoring  all 
of  those  security  sensors. 

QuickLink:  31185 


INTRUSION-DETECTION 
SYSTEMS  EVOLVE 

The  intrusion-detection  systems 
of  the  future  are  likely  to  be 
hybrids  of  signature-based  and 
anomaly-based  technologies. 

QuickLink:  31186 


NEWS 


AT  DEADLINE 


Microsoft  Rejects 
Its  Own  Dog  Food . . . 


NetScreen  Technologies  Inc.,  a 
Sunnyvale,  Calif.-based  company 
that  makes  firewall  and  virtual  pri¬ 
vate  network  hardware  and  soft¬ 
ware,  announced  last  week  that 
Microsoft  Corp.’s  SQL  Labs,  the  unit 
that  works  on  SQL  Server,  is  using 
NetScreen’s  500-series  security 
appliance  to  defend  its  network 
against  Code  Red,  Nimda  and  other 
worm  attacks.  The  choice  was  made 
despite  the  fact  that  Microsoft  al¬ 
ready  sells  its  own  security  product, 
Microsoft  Internet  Security  and  Ac¬ 
celeration  Server,  which  is  touted 
as  a  defense  against  worms.  Micro¬ 
soft  declined  to  comment  beyond  a 
SQL  network  engineer’s  endorse¬ 
ment  of  the  NetScreen  product. 


. . .  And  Details 
CRM  Suite  for  .Net 

Microsoft  last  week  detailed  a  plan 
to  release  in  the  fourth  quarter  Web- 
based  customer  relationship  man¬ 
agement  (CRM)  software  based  on 
its  .Net  platform.  The  suite  will  pro¬ 
vide  a  Web-based  system  for  man¬ 
aging  accounting,  human  resources, 
supply  chains  and  customer  rela¬ 
tionships  at  businesses  with  25  to 
500  employees,  Microsoft  said.  It 
will  be  offered  as  a  hosted  service 
and  as  a  product  that  companies 
can  deploy  on  their  own  servers. 


Short  Takes 

AOL  TIME  WARNER  INC.  confirmed 
Friday  that  it  has  hired  an  executive 
search  firm  to  help  find  a  new  head 
for  its  flagging  AMERICA  ONLINE 
INC.  Internet  unit. . . .  Increasing 
market  share  in  the  server  market¬ 
place  helped  DELL  COMPUTER 
CORP.  boost  its  earnings  estimates 
for  its  second  fiscal  quarter  of  2003 
. . .  ACCENTURE  LTD.  narrowly  beat 
revenue  and  earnings  expectations 
for  the  third  quarter  of  its  2002  fis¬ 
cal  year - About  27%  of  develop¬ 

ers  in  China  are  currently  writing 
Linux  applications,  according  to  a 
survey  of  700  developers  by  EVANS 
DAT 1  CORP.  in  Santa  Cruz,  Calif. 


Southwest  Expands 
Business  Tools’  Role 


Will  manage  operational  data  with  tools 
that  helped  stabilize  finances  after  attacks 


BY  MARC  L.  SONGINI 

Nearly  a  year  af¬ 
ter  Sept.  11  and  the 
ensuing  plunge 
in  airline  rev¬ 
enues,  Southwest 
Airlines  Co.  is  so  pleased  with 
the  performance  of  its  business 
intelligence  applications  for 
financial  management  that  it 
plans  to  expand  deployment  to 
include  flight  operations  and 
maintenance. 

While  some  companies  have 
difficulty  getting  the  most  out 
of  their  very  expensive  analytic 
applications,  in  the  middle  of  a 
crisis,  the  Dallas-based  airline 
successfully  put  its  Hyperion 
Solutions  Corp.  Essbase  online 
analytical  processing  (OLAP) 
application  and  Pillar  budget¬ 
ing  software  to  the  test,  accord¬ 
ing  to  one  of  the  company’s  top 
financial  executives.  Southwest 
was  able  to  accurately  make  fi¬ 
nancial  forecasts  to  help  it  pre¬ 
pare  adequately  for  the  severe 
market  downturn. 

Indeed,  Southwest  is  one  of 
the  rare  companies  that  has 
exploited  its  business  intelli¬ 
gence  applications  success¬ 
fully,  said  Lee  Geishecker,  an 
analyst  at  Stamford,  Conn.- 
based  Gartner  Inc. 

Key  to  Success 

Southwest’s  success  resulted 
from  its  ability  to  tie  its  enter¬ 
prise  resource  planning  appli¬ 
cations  to  its  OLAP  software 
and  then  present  relevant  fi¬ 
nancial  data  and  scenarios  to 
its  decision-makers. 

Typically,  companies  don’t 
adequately  tie  their  financial 
applications  into  an  OLAP  sys¬ 
tem,  analyze  their  data  and 
then  meaningfully  present  it  to 
business  personnel,  but  South¬ 
west  has  proved  that  it  can  be 
done,  Geishecker  said. 

Right  after  the  terrorist  at¬ 
tacks,  the  airline  was  operating 


“in  a  world  of  complete  uncer¬ 
tainty,”  said  Mike  Van  de  Ven, 
vice  president  of  financial  plan¬ 
ning  and  analysis  at  Southwest. 
“We  were  asked  to  give  some 
sort  of  financial  insight  for  a  va¬ 
riety  of  decisions  the  company 
might  make.” 

Prior  to  the  roughly  $1  mil¬ 
lion  installation  of  Essbase 
from  Sunnyvale,  Calif.-based 
Hyperion  in  1999,  Southwest 
analysis  personnel  had  to  write 


New  nodes  are  25% 
slower ;  firm  claims 

BY  JAIKUMAR  VI JAVAN 

Gartner  Inc.  is  cautioning  NCR 
Corp.’s  Teradata  customers 
against  overpaying  for  some 
recently  introduced  hardware, 
in  response  to  what  the  re¬ 
search  firm  is  calling  “illogical 
pricing  practices.” 

The  warning  relates  to  a  new 
generation  of  NCR’s  massively 
parallel  WorldMark  servers 
that  were  introduced  in  May. 

According  to  Gartner,  the 
new  two-processor  nodes  that 
are  used  in  the  latest  World- 
Mark  5300  servers  provide 
only  75%  of  the  performance 
available  with  the  four-proces¬ 
sor  nodes  used  in  the  previous 
WorldMark  5255  servers.  But 
NCR  is  insisting  on  selling  the 
new  nodes  at  the  same  price  as 
the  older  nodes,  Gartner  said. 

In  an  advisory  released  earli¬ 
er  this  month,  Gartner  analyst 
Kevin  Strange  said  NCR’s 
prices  “are  not  in  line”  with 
standard  industry  practice. 


queries  by  hand,  spend  per¬ 
haps  a  half  hour  running  them 
and  then  put  the  figures  into 
spreadsheets  for  additional 
analysis,  which  could  take  up 
to  four  hours.  However,  Ess¬ 
base  has  cut  that  time  to  as  lit¬ 
tle  as  two  minutes,  said  Van  de 
Ven,  which  means  crucial 
savings  for  the  airline. 

After  running  worst-  and 
best-case  scenarios  and  creat¬ 
ing  forecasts,  Southwest  was 
able  to  come  up  with  an  action 
plan  to  stabilize  its  finances.  It 
helped  answer  questions  like, 
“How  fast  would  we  burn 
through  our  cash?”  Van  de  Ven 


“By  comparison,  recent  gen¬ 
erations  of  Hewlett-Packard, 
IBM  and  Sun  Microsystems 
high-end  Unix  servers  effec¬ 
tively  cut  the  hardware  cost  of 
processing  power  by  increasing 
the  processor  speeds  by  up  to 
50%  with  little,  if  any,  increase 
in  price,”  the  advisory  noted. 

Vickie  Farrell,  a  vice  presi¬ 
dent  in  NCR’s  Teradata  ware¬ 
house  group,  challenged  Gart¬ 
ner’s  position.  “What  we  sell  is 
a  complete  solution  that  in¬ 
cludes  hardware  and  software,” 
Farrell  said.  “The  list  price  on 


This  is  an  area 
of  concern  that 
I  have  raised 
with  NCR 
management. 

MOHAMMAD  RIFAIE, 

ROYAL  BANK  OF  CANADA 


NCR’s  Teradata  Pricing 
‘Illogical,’  Gartner  Warns 
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Navigating 
Tough  Times 

■  Since  Sept.  It,  Southwest’s 
OLAP  application  from  Hyper¬ 
ion  has  helped  to  create 
what-if  financial  scenarios. 

■  Forecasts  based  on  those 
scenarios  are  within  2%  of 
actual  operating  numbers. 

rm  New  role-based  views 
permit  personnel  to  access 
operational  data  as  well  as 
financial  figures. 

■  :V  -;  '■■TLWTvv;  .:;v a: 

said.  So  far,  the  forecasts  have 
been  within  2%  of  the  actual 
operating  numbers,  he  noted. 

Overall,  the  application  has 
paid  for  itself  through  the  sav¬ 
ings  that  resulted  from  au¬ 
tomating  the  data  collection 
processes,  Van  de  Ven  said.  I 


the  box  is  totally  irrelevant.  We 
don’t  sell  off-the-shelf  hard¬ 
ware.  We  sell  uniquely  config¬ 
ured  systems  that  meet  a  cus¬ 
tomer’s  particular  needs.” 

In  fact,  she  said,  when  per¬ 
formance  is  compared,  a  5300 
server  costs  11%  less  than  a  5255 
at  the  same  performance  level. 

The  real  problem  lies  in 
NCR’s  continued  unwillingness 
to  publish  list  prices  on  its  hard¬ 
ware,  Strange  said.  Unlike  other 
vendors  that  have  clearly  pub¬ 
lished  prices,  NCR  uses  a  bun¬ 
dled  pricing  model  that  gives 
customers  very  little  idea  about 
how  much  they’re  really  paying 
for  their  hardware,  he  said. 

“If  NCR  doesn’t  separately 
publish  prices  for  its  hardware, 
how  do  you  know  for  sure  that 
what  you  are  getting  is  in  fact 
cheaper”  than  previous  hard¬ 
ware?  he  asked. 

NCR’s  habit  of  not  publish¬ 
ing  prices  can  be  troubling, 
said  Mohammad  Rifaie,  a  se¬ 
nior  manager  of  information 
resource  management  at  Royal 
Bank  of  Canada  in  Toronto. 

“This  is  an  area  of  concern 
that  I  have  raised  with  NCR 
management,”  he  noted.  “Tera¬ 
data  is  very  strong  in  technolo¬ 
gy  and  total  cost  of  ownership 
and  brings  a  very  good  value  to 
the  table.  But  I  think  it  will  be 
to  their  advantage  if  they  pub¬ 
lish  their  prices.”  I 
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Liberty  Alliance  to  Unveil  Single  Sign-on  Technical  Spec 


Phase  1  deals  with  authentication  sharing 


LIBERTY  ALLIANCE  PROJECT  AT  A  GLANCE 


FOUNDED:  September  2001 

OBJECTIVE:  To  promote  a  federated  network  identity  system  for  the  Inter¬ 
net  that  enables  single  sign-on  for  consumers  and  businesses. 

MANAGEMENT  BOARD:  American  Express  Co.,  AOL  Time  Warner  Inc., 
BCE  Inc.,  Citigroup  Inc.,  France  Telecom,  General  Motors  Corp.,  Hewlett- 
Packard  Co.,  MasterCard  International  Inc.,  Nokia  Corp.,  NTT  DoCoMo, 
Openwave  Systems  Inc.,  RSA  Security  Inc.,  Sony  Corp.,  Sun  Microsystems 
Inc.,  United  Air  Lines  Inc.,  Vodafone  Corp. 


BY  CAROL  SLIWA 

The  Liberty  Alliance  Project 
today  will  reveal  its  long- 
awaited  technical  specifica¬ 
tions  to  help  companies  set  up 
systems  that  will  let  users  sign 
on  just  once  to  gain  access  to 
a  host  of  password-protected 
Web  sites  and  services. 

But  the  mere  fact  that  the  40- 
member-plus  consortium,  led 
by  Sun  Microsystems  Inc.  and 
United  Air  Lines  Inc.,  has  final¬ 
ly  produced  something  tangi¬ 
ble  may  impress  some  industry 
observers  more  than  the  de¬ 
tails  about  the  technical  speci¬ 
fications  it  backs,  such  as  the 
Security  Assertion  Markup 
Language  (SAML). 

“A  lot  of  people  had  been 
skeptical,  and  they  didn’t  really 
understand  what  this  Liberty 
Alliance  was  about,”  said 
David  Smith,  an  analyst  at 
Gartner  Inc.  in  Stamford,  Conn. 

Founded  last  September,  the 
Liberty  Alliance  Project  prom¬ 
ised  to  create  technical  specifi¬ 
cations  that  would  permit  sin¬ 
gle  sign-on  and  decentralized 
authentication  based  on  open¬ 
ly  available  technologies.  The 
initiative  created  an  alternative 
to  Microsoft  Corp.’s  Passport 
system,  which  authenticates 
only  users  who  access  sites 
that  support  Passport. 

Both  the  Liberty  Alliance 
and  Microsoft  have  taken  great 
pains  to  stress  that  they  don’t 
compete.  Bill  Smith,  Sun’s  rep¬ 
resentative  to  the  Liberty  Al¬ 
liance,  said  last  week,  “We’d 
hope  that  Microsoft  or  anyone 
with  an  interest  in  identity 
management  would  join  in  the 
work  we’re  doing.” 

Meanwhile,  Adam  Sohn,  a 
product  manager  at  Microsoft, 
said  his  company  could  join 
the  alliance,  work  informally 
with  the  group  on  interoper¬ 
ability  standards  or  simply 
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work  to  make  sure  its  Passport 
system  can  share  information 
with  sites  that  support  the  Lib¬ 
erty  specifications. 

That  sort  of  rhetoric  has  been 
going  on  for  months  with  little 
movement,  but  Microsoft  now 
has  a  real  specification  to  re¬ 
view.  “We’ll  take  a  look  at  the 
spec  and  figure  out  what  the 
next  steps  are,”  Sohn  said. 

The  Project  Base 

The  Liberty  specification  is 
based  on  SAML,  an  XML- 
based  security  standard  for  ex¬ 
changing  authentication  and 
authorization  information,  but 
it  will  also  define  extensions  to 
SAML,  according  to  James  Ko- 
bielus,  an  analyst  at  Midvale, 
Utah-based  Burton  Group. 


But  company  has 
yet  to  specify  dates 

BY  CAROL  SLIWA 

Novell  Inc.  today  plans  to  un¬ 
veil  an  18-month  road  map  for 
its  eDirectory  server  software, 
dubbed  Project  Destiny,  that 
outlines  its  strategy  to  extend 
secure  identity  management  to 
every  aspect  of  Web  services. 

But  while  the  software  maker 
is  drawing  analysts’  praise  for 
heading  in  the  right  direction, 
so  far  the  only  product  that  has 
an  expected  year’s  end  ship 
date  is  the  Universal  Descrip¬ 
tion,  Discovery  and  Integration 
(UDDI)  server  that’s  being 
built  on  its  eDirectory  server. 

“They  have  a  lot  of  good 
ideas,  and  they’ve  had  them  for 
a  while.  But  when  are  they  go¬ 
ing  to  deliver?”  said  Mike  Neu- 
enschwander,  an  analyst  at 
Burton  Group  in  Midvale, 
Utah.  “They’re  trying  to  jump 


Kobielus  said  the  Liberty 
specs  use  the  basic  formats 
and  protocols  of  SAML  and 
add  extensions  to  support  ac¬ 
count  linking,  or  “identity  fed¬ 
eration.”  “Opaque  identifiers” 
traverse  the  Internet,  serving 
as  anonymous  IDs  to  permit 
users  to  access  other  sites,  but 
they  don’t  contain  personal  ac¬ 
count  information,  he  said. 

For  instance,  a  user  might 
book  a  flight  on  one  site  and  be 


the  gun  and  be  a  thought 
leader.  It’s  more  important  for 
them  to  be  a  product  leader.” 

At  least  with  the  Web  ser¬ 
vices  and  UDDI  plans,  Novell 
may  be  running  ahead  of  the 
demand  curve.  IT  departments 
have  hardly  been  rushing  to 
build  Web  services  or  use  pub¬ 
lic  UDDI  repositories  that  can 
help  them  find  information 
about  how  their  trading  part¬ 
ners  want  to  interact. 

The  first  part  of  Novell’s  di¬ 
rectory  services  road  map  calls 
for  the  addition  of  a  server  to 
its  eDirectory  that  will  bring 
user  authentication  and  access 
control  to  UDDI  registries. 
That  will  allow  authorized 
users  to  add  information  to 
and  query  information  from 
UDDI  registries,  according  to 
Ed  Anderson,  director  of  prod¬ 
uct  management  for  the  com¬ 
pany’s  identity  services  group. 

Anderson  said  he  anticipates 
that  large  companies  will  start 
to  deploy  internal  UDDI  re¬ 


linked  to  other  sites  for  car  and 
hotel  reservations,  but  all  of  his 
unique  account  information 
would  be  managed  separately 
by  the  airline,  rental  car  and 
hotel  companies,  Kobielus  said. 

“Liberty  makes  it  difficult  to 
aggregate  personal  data  across 
linked  accounts,”  Kobielus  said. 
But  users  can  opt  to  link  their 
accounts,  he  added. 

Phase  1  of  the  Liberty  speci¬ 
fication  deals  strictly  with  au- 


positories  next  year.  He  pre¬ 
dicted  that  some  will  experi¬ 
ment  with  the  federation  of 
their  internal  repositories  so 
they  can  share  information 
with  business  partners.  “It  will 
become  more  prominent  in 
2004  and  forward,”  he  said. 

Neuenschwander  said  the 
UDDI  server  represents  only 
“one-sixteenth”  of  what  Novell 
wants  to  do  through  its  Des¬ 
tiny  road  map.  “The  marketing 
guys  are  getting  ahead  of  the 
engineering  guys,”  he  said. 

Novell’s  Plans 

A  UDDI  server,  built  on  Novell’s 
eDirectory,  to  add  authentica¬ 
tion  and  access  control  to  UDDI 
registries;  due  by  year’s  end. 

Native  XML  and  SOAP  support 
in  eDirectory. 

One  management  point  for 

user  identities  drawn  from  multi¬ 
ple  applications  and  services. 

A  rules-based  engine  that  will 
help  directories  manage  user  ac¬ 
cess  to  network  resources  based 
on  their  roles  in  an  organization. 

A  federated  system  to  allow 
businesses  to  securely  share 
identity  data  with  their  partners. 


Novell  Lays  Out  Road  Map 
For  New  Directory  Services 
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thentication  sharing,  accord¬ 
ing  to  Sun’s  Smith.  Phase  2  is 
already  under  discussion,  but 
no  details  are  available. 

How  well  the  Phase  1  spec 
works  in  practice  remains  to 
be  seen.  Sun,  Novell  Inc.  and 
other  companies  today  are  ex¬ 
pected  to  pledge  to  support  the 
Liberty  specifications  in  their 
respective  products. 

Also  today,  about  a  dozen 
companies,  including  Novell, 
Sun  and  IBM’s  Tivoli  division, 
are  scheduled  to  demonstrate 
SAML-enabled  products  at  a 
hospitality  suite  sponsored  by 
the  nonprofit  Organization  for 
the  Advancement  of  Struc¬ 
tured  Information  Standards. 

Gartner’s  Smith  said  corpo¬ 
rate  IT  departments  will  prob¬ 
ably  want  to  make  their  exist¬ 
ing  systems  work  in  the  Liber¬ 
ty  environment  rather  than 
throw  out  what  they  have  and 
buy  new  products.  But  that 
could  mean  custom  coding  for 
their  developers,  he  said.  > 


No  timetable  was  announced 
for  several  key  pieces  of  the 
plan,  other  than  that  they  will 
be  delivered  next  year,  accord¬ 
ing  to  a  Novell  spokesman. 

Those  pieces  include  native 
support  for  XML  and  the  Sim¬ 
ple  Object  Access  Protocol 
(SOAP)  in  the  eDirectory  serv¬ 
er;  a  single  point  of  manage¬ 
ment  for  user  identities  drawn 
from  multiple  applications  and 
services;  a  rules-based  engine 
that  will  help  directories  man¬ 
age  user  access  to  network  re¬ 
sources;  and  a  federated  system 
that  will  allow  businesses  to  se¬ 
curely  share  identity  informa¬ 
tion  with  business  partners. 

Anderson  said  the  initial 
pieces  will  be  modular  add-ons 
to  eDirectory,  which  is  the  foun¬ 
dation  of  Project  Destiny. 

John  Enck,  an  analyst  at 
Stamford,  Conn.-based  Gart¬ 
ner  Inc.,  said  the  real  value  in 
Novell’s  directory  services 
plan  will  be  from  policy-based 
identity  management,  which 
will  allow  more  users  to  be  ad¬ 
ministered  by  fewer  people, 

“You’re  not  going  to  have  r 
burn  IT  resources  for  a  so  '  -a: 
task  like  adding  or  ms i r.t .?■•>  : 
user  information  in  v.> 
directories,"  Enck  said.  ? 
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Oracle  Tries  Again 
With  Messaging  Wares 


Aims  to  compete 
against  Exchange 

BY  JENNIFER  DlSABATINO 

RACLE  CORP.  last 
week  announced 
back-end  collab¬ 
oration  software 
that  the  compa¬ 
ny  hopes  will  compete  with 
Microsoft  Corp.’s  Exchange. 

Oracle  Collaboration  Suite 
includes  ready-made  links  to 
Oracle’s  9i  databases,  unified 
messaging  and  calendaring 
technology  from  newly  ac¬ 
quired  Steltor  Inc.  in  Montreal. 

The  move  is  partly  intended 
to  prevent  Microsoft  from  con¬ 
trolling  the  messaging  market 
and  being  able  to  dictate  how 
Oracle  software  will  interoper¬ 
ate  with  Exchange,  said  Rene 
Bonvanie,  vice  president  of 
product  marketing  at  Oracle. 

“I  think  . . .  Lotus  is  irrele¬ 
vant  in  this  market,”  Bonvanie 
said.  “If  we  don’t  stand  up,  Mi¬ 
crosoft  will  gobble  up  every¬ 
thing,  including  Lotus,  the  way 
they  did  to  Novell  a  few  years 
ago,”  said  Bonvanie,  referring 
to  GroupWise,  a  messaging 
product  from  Novell  Inc. 

“At  the  end  of  the  day,  two 
companies  will  battle  it  out  for 
predominance,  and  we  think 
that  we  have  a  very  serious 
shot  at  this,”  said  Bonvanie. 

‘Heavy  Lifting’ 

Not  surprisingly,  Microsoft 
and  Lotus  Software  Group  ex¬ 
ecutives  were  somewhat  dis¬ 
missive  of  the  announcement. 

“We’ve  been  in  this  market 
for  five-,  six-plus  years.  We’ve 
done  a  lot  of  heavy  lifting,”  said 
Chris  Baker,  lead  product  man¬ 
ager  for  Exchange  at  Micro¬ 
soft.  ‘So  they  really  have, 
maybe  at  best,  1.0  products.” 

Baker  added  that  Oracle’s  of¬ 
fering  may  have  strengths  that 
Microsoft  doesn’t,  but  it’s  not  a 
full-featured  product.  “It’s  very 
much  a  'me  too,’  ”  he  said. 

Ed  Brill,  at;  IBM  Software 


operations  manager,  offered 
similar  views.  “I  have  a  deja  vu 
sense,”  he  said.  “This  is  like  the 
ninth  time  that  they’ve  tried  to 
get  into  the  market.” 

Still,  one  Notes  customer 
said  Oracle’s  offering  is  worth 
considering.  Lenox  Inc.  in 
Lawrenceville,  N.J.,  is  about  to 
switch  to  Exchange  because  of 
the  cost  of  maintenance  and 
the  difficulty  of  integrating 
Version  R4.6  of  Notes  with  Mi¬ 
crosoft’s  Office  software.  How- 
ever,  the  company  would  have 
looked  at  Oracle’s  new  product 
if  that  decision  hadn’t  been 


made,  said  Bob  Palmer,  vice 
president  of  IT  at  Lenox.  “To 
what  degree,  it’s  hard  to  say 
without  understanding  [the 
product].  One  of  the  issues 
with  Oracle  is  that  everything 
is  database-driven,  and  that  re¬ 
quires  database  licensing.  It’s  a 
very  expensive  proposition  to 
get  into  that  ballgame.  If  they 
could  provide  a  solution  that 
scales  in  a  cost-effective  man¬ 
ner,”  it  may  be  worth  it,  he  said. 

“Microsoft,  for  better  or 
worse,  they  allow  you  to  get 
into  various  solutions  at  more 
reasonable  cost,”  Palmer 


added.  “You  don’t  have  to  be  a 
Fortune  500  company  to  de¬ 
ploy  their  solutions.” 

“I  don’t  think  most  people 
will  rip  and  replace.  But  the  fu¬ 
ture  is  uncertain,”  said  David 
Ferris,  president  of  Ferris  Re¬ 
search  Inc.  in  San  Francisco. 

The  suite  has  potential,  said 
Michele  Rubenstein,  a  board 
member  of  the  Messaging  Fo¬ 
rum  of  The  Open  Group  in  San 
Francisco.  “With  Oracle  8i  and 
above,  you  have  the  LDAP 
[Lightweight  Directory  Access 
Protocol]  connections,  and  you 
can  tie  this  into  directory  ser¬ 
vices  and  PKI  [public-key  in- 
strastructure],”  she  said.  “Ora¬ 
cle  has  market  share  on  data¬ 
base,  and  Microsoft  has  market 
share  on  the  messaging  [client]. 
From  a  user  perspective,  that’s 
the  best  of  both  worlds.”  D 


signals,  which  Chris  Gilbert, 
CEO  of  IPWireless,  said  is  the 
Holy  Grail  of  radio  frequency 
engineering.  Gilbert  said  his 
firm  has  developed  patented 
software  to  harness  the  power 
of  multipath  signals  for  a  quan¬ 
tum  increase  in  throughput. 

Berkoff  said  he  was  initially 
skeptical  about  the  IPWireless 
technology.  However,  not  only 
does  it  work,  but  it  does  so  at 
far  lower  capital  costs  than  so- 
called  third-generation  cellu¬ 
lar  wireless  systems  such  as 
those  offered  by  Nokia  Corp., 
he  said.  Berkoff  estimated 
his  capital  costs  per  cell 
at  $100,000,  as  opposed  to 
$250,000  per  cell  for  similar 
equipment  from  a  vendor  such 
as  Espoo,  Finland-based  Nokia. 

Joe  Brooks,  vice  president  of 
sales  and  market  development 
for  the  Broadband  Solutions 
division  of  financially  troubled 
WorldCom  Inc.,  said  his  com¬ 
pany  believes  in  the  technol¬ 
ogy  enough  to  deploy  it  on  its 
MMDS  system  in  Memphis. 
Commercial  service  is  slated 
to  start  next  month. 

“I  have’t  seen  anything  like” 
IPWireless’  technology,  which 
could  be  a  real  plus  for  World¬ 
Com,  Brooks  said.  WorldCom 
spent  $1  billion  for  its  nation¬ 
wide  MMDS  licenses  in  the  late 
1990s.  Since  the  IPWireless  mo¬ 
dem  is  easy  for  a  customer  to 
install,  Brooks  said,  it  could 


High-Speed  Wireless  Service 
Debuts,  Draws  Keen  Interest 

256K  service  based  on  IPWireless  technology 


BY  BOB  BREWIN 

Next  month,  the  Hyatt  Re¬ 
gency  Maui  in  Hawaii  will  start 
offering  hotel  guests  a  mobile 
wireless  service  that  blazes 
along  at  256K  bit/sec.  —  four  to 
five  times  the  speed  of  next- 
generation  high-speed  data 
services  provided  by  U.S.  cel¬ 
lular  carriers.  _ 

Gary  Bulson,  di¬ 
rector  of  engineer¬ 
ing  at  the  Hyatt 
Corp.  hotel,  said 
the  capital  cost  of 
the  service  is  only 
$10,000,  which  was  the  price  of 
the  25  pocket-size  modems  that 
tap  into  the  high-speed  service 
provided  by  Maui  Sky  Fiber 
LLC  in  Kihei,  Maui. 

Steve  Berkoff,  managing  di¬ 
rector  of  Maui  Sky  Fiber,  said 
his  system,  which  will  eventu¬ 
ally  blanket  the  island  of  Maui, 
has  a  raw  throughput  of  3M 
bit/sec.  He  plans,  however,  to 
limit  it  to  1.2M  bit/sec.  “be¬ 
cause  we  don’t  have  demand 
for  that  kind  of  speed  on  Maui.” 

Maui  Sky  Fiber  plans  to  offer 
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both  mobile  and  fixed  wireless 
services  on  Maui,  with  prices 
ranging  from  $12.95  per  day  for 
guests  using  the  mobile  service 
to  $349.95  per  month  for  a  768K 
bit/sec.  fixed  service  to  enter¬ 
prise  customers,  a  price  Berk¬ 
off  said  compares  favorably 
with  cable  modem  or  Digital 

_  Subscriber  Line 

rates  on  the  island. 

The  company 
offers  the  service 
based  on  the  inter¬ 
national  Universal 
Mobile  Telecom¬ 


munications  System  standard 
over  a  licensed  system  operat¬ 
ing  in  the  2.5-  to  2.6-GHz  Mul¬ 
tichannel  Multipoint  Distribu¬ 
tion  System  (MMDS)  frequen¬ 
cy  band.  That  band  has  been 
designated  by  the  Federal 
Communications  Commission 
for  fixed  wireless  operations 
delivering  video  or  data. 

Berkoff  said  the  key  to  his 
operation  is  technology  devel¬ 
oped  by  San  Bruno,  Calif.- 
based  IPWireless  Inc.  that 
takes  advantage  of  multipath 
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If  we  don’t 
stand  up, 
Microsoft  will 
gobble  up 
everything,  in¬ 
cluding  Lotus, 
the  way  they 
did  to  Novell  a 
few  years  ago. 

RENE  BONVANIE,  VICE  PRESIDENT 
OF  PRODUCT  MARKETING,  ORACLE 


save  WorldCom  the  costs  asso¬ 
ciated  with  sending  out  an  in¬ 
stallation  technician. 

Analyst  Lindsay  Schroth  at 
The  Yankee  Group  in  Boston 
called  the  IPWireless  technol¬ 
ogy  “incredible,”  noting  that  it 
gives  suppliers  and  customers  a 
high-speed  fixed  or  portable 
service  in  one  package.  D 

IPWireless  vs. 
Cellular  Data 

IPWIRELESS 

■  3M  bit/sec.  raw  speed 

■  $12.95  a  day,  or  $99.95  a 
month,  for  mobile,  256K  bit/sec. 
service  with  unlimited  use 

■  $349.95  a  month  for  768K  bit/ 
sec.  fixed  service  for  unlimited  use 

AT&T  WIRELESS 

■  GPRS  mobile  data  service 

■  20Kto  40K  bit/sec. 

■  Up  to  5MB  per  month  of  data, 
downloaded  for  $30  a  month 

■  Up  to  100MB  of  data  down¬ 
loaded  a  month  for  $100  a  month 

VERIZON  WIRELESS 

■  CDMA  lx  mobile  data  service 

■  50K  to  70K  bit/sec. 

■  150  minutes  for  $35  per  month 

■  3,000  minutes  for  $300  a  month 


Frequently  asked  question  /  abbrev:  FAQ 

It's  the  question  we  hear  most  frequently:  how  can  you  leverage  your  investment  in  existing  infrastructure  but 
not  miss  out  on  the  benefits  of  new  technology?  Answer:  The  Sprint  network  boasts  seamless  interoperability 
between  IP,  frame  relay  and  ATM  platforms  —  just  what  you  need  to  help  take  advantage  of  current  systems 
while  migrating  to  new  technology. 

Anytime  to  virtually  anywhere  connectivity 

We're  the  only  telecommunications  provider  that  supports  both  nationwide  wireless  and  wireline  access  to 
your  critical  data  applications.  We  can  help  you  integrate  wireline  IP  services  with  the  latest  wireless  always-on, 
real-time  mobile  data  solutions.  The  result?  Try  higher  productivity  with  access  to  your  data  anytime  you 
need  it  —  in  the  office  or  on  the  road. 


"Any  to  any"  connectivity 

We've  also  engineered  a  network  solution  that  marries  the  "any  to  any”  connectivity  of  IP  to  the  reliability  and 
security  of  frame  relay.  It's  called  Internet  Protocol  Intelligent  Frame  Relay  (let's  just  call  it  IPiFR),  and  it's  based 
on  a  flexible  router  architecture  that  can  run  over  multiple  backbone  technologies  —  a  domestic  industry  first. 
What  this  can  give  you  is  VPN  services  that  (1)  provide  meshed  connectivity  (2)  without  multiple  PVCs  (3)  while 
maintaining  predictable  scalability.  In  other  words:  you  can  add  locations  and  new  applications  without  replacing 
your  existing  infrastructure  or  adding  significant  costs. 

Get  more  from  existing  technology  and  get  ready  for  the  latest  —  another  sign  of  an  intelligent  network  and  the 
people  who  make  it  work  (for  you). 


For  more  answers,  visit  our  complete  library  of  downloadable  white  papers 
at  sprint.com/whitepapers/13  or  call  1-877-604-1844. 
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EMC  Taps  Accenture 
For  Consulting  Unit 

EMC  Corp.  last  week  announced  the 
creation  of  Information  Solutions 
Consulting,  a  business  unit  that  it 
will  operate  in  a  five-year  pact  with 
Accenture  Ltd.  The  unit  is  an  ele¬ 
ment  of  the  Hopkinton,  Mass.-based 
company’s  strategy  to  remake  its 
business  so  that  50%  of  revenue  is 
derived  from  hardware,  30%  from 
software  and  20%  from  services. 

Tools  Available  for 
Visual  Studio  .Net 

Microsoft  Corp.  last  week  made 
available  educational  materials  and 
a  tool  kit  to  help  developers  build 
applications  using  the  Visual  Studio 
.Net  development  environment. 

Also,  an  integration  software  devel¬ 
opment  kit  enables  companies  to 
hook  their  internally  built  tools  into 
the  Visual  Studio  .Net  environment. 

Microsoft  Joins 
LinuxWorld  Exhibitors 

Microsoft  for  the  first  time  will  spon¬ 
sor  a  booth  at  the  LinuxWorld  Con¬ 
ference  &  Expo,  to  be  held  next 
month  in  San  Francisco.  The  compa¬ 
ny  will  display  wares  such  as  its  em¬ 
bedded  operating  systems.  “I  would 
definitely  not  treat  this  as  a  move 
[by  Microsoft]  to  open  source,  but 
as  a  way  to  reach  people  we  have 
to  reach,”  said  Pete  Houston,  senior 
director  of  Microsoft’s  Windows 
server  product  management  group. 

Security  Flaw  Found 
In  iPlanet  Web  Server 

A  security  vulnerability  in  the 
search  feature  of  Sun  Microsystems 
Inc.’s  iPlanet  Web  server  can  allow 
attackers  to  execute  code  of  their 
choice  on  remote  iPlanet  servers, 
according  to  a  security  advisory 
released  last  week  by  U.K.-based 
Next  Generation  Security  Software 
Ltd.  The  6aw  affects  iPlanet  Web 
server  Versions  4.1  and  6.0. 
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California  Proceeds 
Without  an  IT  Dept. 


New  unit  to  create  plan  to  deal  with 

procurement,  security  issues  in  state 


ITH  THE  re¬ 
cent  demise 
of  a  central 
oversight 
department, 


BY  MARC  L.  SONGINI 

W 

the  state  of  California  during 
the  next  weeks  and  months 
must  cobble  together  proce¬ 
dures  to  both  procure  and  se¬ 
cure  its  multibillion-dollar  IT 
systems. 

Lacking  legislative  reautho¬ 
rization,  the  state’s  Depart¬ 
ment  of  Information  Technol¬ 
ogy  (DOIT)  officially  ceased 
to  exist  July  1,  largely  because 
of  its  role  in  a  controversial 
database  licensing  agreement 
with  Oracle  Corp. 

For  now,  state  agencies  must 
work  with  the  Department  of 
Finance  and  assume  responsi¬ 
bility  for  their  own  IT  projects. 


But  Gov.  Gray  Davis  also  creat¬ 
ed  a  new  unit,  the  Technology 
Oversight  and  Security  Unit 
(TOSU),  whose  task  is  to 
come  up  with  a  long-term  plan 
to  help  manage  the  state’s  multi¬ 
billion-dollar  IT  investments. 

Botched  Deal 

The  DOIT  was  created  in 
1996  to  oversee  high-tech  proj¬ 
ects  throughout  California.  Af¬ 
ter  earlier  controversies,  its  for¬ 
tunes  declined  irreversibly  in 
April,  when  a  scathing  report 
from  the  state  auditor’s  office 
laid  at  its  door  much  of  the 
blame  for  an  approximately 
$126  million  exclusive  database 
licensing  deal  with  Oracle. 
The  deal,  called  an  enterprise 
licensing  agreement  (ELA), 
would  have  wound  up  costing 
more  money  than  a  competi- 


ili 


Without  a 


FOLLOWING  THE  DEMISE 
OF  CALIFORNIA’S  DOIT: 

■  State  agencies  will  work 
with  the  Finance  Department 
to  oversee  IT-related  projects. 

■  Gov.  Gray  Davis  created  the 
Technology  Oversight  and 
Security  Unit  to  develop  a 
long-term  plan  for  managing 
the  state’s  IT  infrastructure. 

■  The  TOSU  expects  to  estab¬ 
lish  procedures  to  secure  the 
state  network,  make  bidding 
processes  more  fair  and  pro¬ 
mote  communication  among 
California  U  leaders. 


tively  bid  license,  the  auditor 
claimed. 

Oracle  declined  to  comment 
on  the  DOIT’s  expiration,  and 
negotiations  are  under  way  to 
rescind  the  ELA. 

The  head  of  the  TOSU  is 
Clark  Kelso,  a  law  professor  at 
the  McGeorge  School  of  Law  at 


the  University  of  the  Pacific 
in  Sacramento.  He  said  his  pri¬ 
mary  task  will  be  to  create  a 
road  map  for  what  the  unit 
wants  to  accomplish  during 
the  next  18  months. 

Among  the  long-term  goals 
is  to  make  sure  all  IT  purchas¬ 
es  are  done  fairly  and  ethically, 
he  said.  “We  want  to  reduce 
any  appearance  of  bias  or  fa¬ 
voritism,”  Kelso  told  Computer- 
world  last  week. 

He  also  said  the  state  has  to 
do  a  better  job  of  securing  its 
network,  not  just  because  of 
concerns  about  cyberterrorism, 
but  also  because  there  was  an 
unauthorized  intrusion  into  a 
computer  at  the  state’s  Teale 
Data  Center.  The  hackers  who 
broke  into  that  system  were 
able  to  access  the  Social  Securi¬ 
ty  numbers  and  payroll  infor¬ 
mation  of  all  state  employees 
[QuickLink:  30215]. 

Among  the  lessons  Kelso 
said  he  has  learned  from  the 
DOIT  collapse  is  the  need  for 
IT  departments  to  communi¬ 
cate  with  other  branches  in  an 
organization  about  projects  and 
their  worth.  “DOIT  did  not  ful¬ 
ly  engage  the  legislature  and 
didn’t  let  it  know  what  it  was 
doing  and  what  value  they 
were  contributing,”  he  said.  I 


FBI’s  New  CIO  Undaunted  by  Challenges 


Says  private-sector 
past  will  aid  in  post 

WEISS 

After  serving  as 
the  worldwide 
director  of  in¬ 
formation  and 
communications 
systems  for  the 
11  million-member 
Church  of  Jesus 
Christ  of  Latter- 
day  Saints  in  Salt  Lake  City 
since  1990,  Darwin  A.  John  will 
join  the  government  today  as 
the  new  CIO  at  the  FBI.  John, 
64,  was  named  to  the  post  last 
week  by  FBI  Director  Robert 
S.  Mueller  III  to  replace  Bob 
Dies,  who  served  for  two  years 
as  both  CIO  and  assistant  di¬ 


rector  for  information  re¬ 
sources  at  the  agency  [Quick- 
Link:  31258  J. 

Since  the  terrorist  attacks  on  the 
U.S.  last  September,  IT  systems 
at  the  FBI  and  other  federal 
agencies  have  come  into  ques¬ 
tion.  Some  reports  say  the  sys¬ 
tems  are  antiquated  and  as  much 
as  a  decade  out  of  date.  Where 
do  you  begin  to  make  changes  to 
help  the  FBI  fight  terrorism?  Di¬ 
rector  Mueller  has  stated  pub¬ 
licly  that  there  is  some  catch¬ 
ing  up  to  do.  He’s  been  clear 
about  that.  Some  news  re¬ 
ports,  I  believe,  may  have  been 
exaggerated.  I  don’t  see  any 
challenge  that  isn’t  doable. 
Since  I  haven’t  yet  started  at 
the  agency,  I  haven’t  been 
close  enough  to  the  FBI’s  situ¬ 
ation  to  know  exactly  what 


will  be  needed.  I  will  see  when 
I  get  there.  One  specific  infor¬ 
mation  management  part  of 
my  new  job  will  be  ensuring 
that  the  right  information  is 
captured  and  accessible  to 
those  who  need  access  and  is 
not  accessible  to  those  who 
shouldn’t  have  access. 

How  will  your  previous  experi¬ 
ences  help  you  prepare  for  and 
perform  your  new  job  at  the  FBI, 
where  fighting  terrorism  has  be¬ 
come  the  new  mantra?  Across 
my  experiences  are  some  sys¬ 
temic  things  that  are  very 
much  in  common,  such  as 
supporting  the  enterprise  and 
helping  to  realize  its  reason 
for  being.  My  belief  is  that 
basic  CIO  leadership  is  very 
transferable  across  those  vari¬ 
ous  kinds  of  environments 


where  I  have  worked. 

What  were  your  responsibilities 
in  your  job  with  the  church?  I 

have  been  focused  on  similar 
things,  such  as  anticipating 
the  future,  setting  strategic 
direction  and  doing  develop¬ 
ment  work  to  put  tools  and 
people  in  place  to  support  the 
church’s  mission.  My  job  also 
entailed  minding  the  shop  day 
to  day  and  ensuring  that  the 
infrastructure  was  reliable  and 
secure. 

What  are  your  thoughts  as  you 
start  this  job,  knowing  how  im¬ 
portant  it  may  be  to  the  future 
security  of  our  nation,  which  is 
facing  the  continuing  threat  of 
terrorism?  At  this  stage  of  my 
life,  when  most  people  would 
probably  be  thinking  about 
playing  golf  more  often,  I’ve 
still  got  some  passion  about 
seeing  if  I  can  help  make  a 
difference  for  the  country.  I 


BY  TODD  R. 


We  discovered  that  the  current  state  of  Windows'  and  Intel  solutions 
offers  considerable  savings  and  an  attractive  alternative  to  the  classic 
RISC/UNIX  solutions  for  BI  implementation. 


Source:  Walklett  Group,  February  2002 
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Figure  6 


The  Microsoft8  SQL  Server™  2000/Unisys  BI  solution  offers 
$3.2  million  in  savings  compared  with  the  Oracle/Sun  system 
over  a  five-year  period. 
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Going  with  the  facts  saves  money. 

microsoft.com/sql/tco  Software  for  the  Agile  Business 
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NEWS 


License  Tracker  Launched 
As  Microsoft  Deadline  Looms 


Users  can  get  snapshot  of  software  assets 
in  preparation  for  contract  negotiations 


BY  CAROL  SLIWA 

AS  MICROSOFT  users 
face  a  key  July  31  li¬ 
censing  deadline,  a 
Canadian  firm  last 
week  launched  its 
LicenseTracker  service  to  help 
companies  take  stock  of  their 
Microsoft  software  in  prepara¬ 
tion  for  contract  negotiations. 

Through  the  LicenseTracker 
service  from  AssetMetrix  Inc. 
in  Ottawa,  corporate  users  can 
inventory  all  of  the  Microsoft 
Corp.  software  running  on 
their  desktops,  laptops  and 
servers.  They  can  then  gain 
access  to  Internet-based  re¬ 
ports  that  provide  details  on 
the  product  versions  being 
used  and  on  the  build  numbers 
and  license  keys. 

“They  can  inventory  their 
entire  population  literally  in 
hours,  no  matter  how  central¬ 
ized  and  how  big  they  are,” 
said  Paul  Bodnoff,  president 
and  CEO  of  AssetMetrix. 

Under  Microsoft’s  old  licens¬ 
ing  system,  many  companies 
didn’t  keep  track  of  their  li¬ 
censes,  and  as  a  result,  some 
of  them  overbought  or  under¬ 
bought  when  the  time  came  for 
upgrades,  Microsoft  CEO  Steve 
Ballmer  told  Computerworld 
last  month. 

Now  that  the  company’s  new 
Version  6.0  volume  licensing 
program  is  taking  effect,  com¬ 
panies  are  being  advised  to  get 
an  accurate  snapshot  of  their 
software  assets  in  order  to  de¬ 
termine  which  of  the  new  pro¬ 
grams,  if  any,  will  make  sense 
for  them. 

“It’s  really  never  too  late  to 
implement  some  type  of  asset 
management,”  said  Alvin  Park, 
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an  analyst  at  Stamford,  Conn.- 
based  Gartner  Inc. 

However,  with  just  16  days 
left  before  the  licensing  dead¬ 
line,  Park  said  he’s  not  sure 
how  much  the  LicenseTracker 
service  can  help. 

Rebecca  LaBrunerie,  prod¬ 
uct  manager  of  worldwide  li¬ 
censing  and  pricing  at  Micro¬ 
soft,  said  she  was  unfamiliar 
with  the  product  and  thus  un¬ 
able  to  comment  on  its  merits. 

“We’ve  long  said  that  custo¬ 
mers  need  to  understand  what 
software  assets  they  have  as 


Product  features 
tool  integration, 

Web  services  support 

BY  CAROL  SLIWA 

Microsoft  Corp.  last  week  re¬ 
leased  a  beta  version  of  its 
Content  Management  Server 
2002  that  features  additional 
authoring  and  administration 
capabilities,  as  well  as  native 
support  for  XML  and  key  Web 
services  standards.  Perhaps 
most  notable,  however,  is  its 
tighter  integration  with  many 
of  Microsoft’s  other  products. 

One  of  the  product’s  key 
differentiators,  for  instance,  is 
its  integration  with  the  Visual 
Studio  .Net  tool  set.  The  com¬ 
pany  removed  developer  cli¬ 
ents  from  Content  Manage¬ 
ment  Server  2001  in  favor  of  the 
new  tools,  said  Chris  Ramsey,  a 
product  manager  in  Microsoft’s 
.Net  Enterprise  Server  group. 

Customers  who  purchase 
Visual  Studio  .Net  —  which 


the  first  step  to  making  an  in¬ 
formed  licensing  decision,”  she 
said.  “But  again,  I  can’t  com¬ 
ment  as  to  the  results  gener¬ 
ated  by  a  third-party  product.” 

Users  have  until  July  31 
to  enroll  in  Microsoft’s  new 
Software  Assurance  program, 
which  entitles  a  company  to 
receive  the  latest  versions  of 
Microsoft  products  during  its 
contract  term.  Enrolled  com¬ 
panies  pay  25%  of  the  volume 
license  fee  for  server  software 
products  and  29%  for  desktop 
products  on  an  annual  basis. 

Another  option  open  until 
July  31  is  Upgrade  Advantage, 
which  moves  a  company  to  the 
current  version  of  a  Microsoft 
software  product  and  “grand¬ 


costs  $1,079  for  the  profession¬ 
al  edition  —  will  get  a  project 
wizard  to  help  them  build  Web 
sites,  saving  them  from  having 
to  write  hundreds  of  lines  of 
code,  according  to  Ramsey. 

Ramsey  said  customers  will 
also  get  a  gallery  of  content 
and  functionality  controls  that 
can  be  dragged  and  dropped 
into  applications.  An  Explorer 


KEY  FEATURES 


Content  Management 
Server  2002 

■  Direct  publishing  from  Microsoft  Word 

■  Distributed  administration 

■  Native  support  for  XML-based  content 

■  Native  support  for  key  Web  services 
standards  such  as  the  Simple  Object 
Access  Protocol 

■  Visual  Studio  .Net  tool  set  integration 

■  Drag-and-drop  content  management 
server  controls 

■  Wizard  for  creating  Web  services 

■  Source-code  management  system 
support 


fathers”  them  for  Software  As¬ 
surance  at  a  later  date. 

Companies  that  don’t  opt 
for  Software  Assurance  or  Up¬ 
grade  Advantage  can  simply 
buy  new  software  licenses, 
potentially  at  higher  costs,  at  a 
later  date.  Or  they  can  get  their 
Microsoft  software  licenses  as 
part  of  a  PC  hardware  purchase. 

The  LicenseTracker  service 
costs  $2  per  seat  through  July 
31.  Customers  may  then  opt  to 
upgrade  to  a  full-service  sub¬ 
scription.  AssetMetrix’s  Impact 
service  costs  $3  per  seat  for 
a  30-day  subscription;  its  Proj¬ 
ect  service  is  $7  per  seat  for  a 
90-day  subscription;  and  the 
Premier  service  is  $15  per  seat 
for  a  full-year  subscription.  I 


panel  is  designed  to  help  them 
navigate  content  in  the  prod¬ 
uct’s  repository  and  connect  it 
to  their  Web  site  projects. 

Customers  can  use  Content 
Management  $erver  without 
Visual  Studio  .Net,  but  Micro¬ 
soft  will  recommend  that  they 
buy  both,  Ramsey  said. 

Other  products  that  have 
tight  hooks  into  the  new  Con¬ 
tent  Management  Server  in¬ 
clude  Microsoft’s  Office  soft¬ 
ware  and  Application  Center 
server.  A  new  authoring  con¬ 
nector  lets  users  create  Web 
content  in  Microsoft  Word  and 
publish  it  directly  to  their  Web 
sites  via  the  Content  Manage¬ 
ment  Server.  Through  Appli¬ 
cation  Center,  users  can  manu¬ 
ally  or  automatically  schedule 
the  deployment  of  a  Web  site 
throughout  the  development 
process,  from  server  to  server. 

Content  Management  Serv¬ 
er  also  features  tight  connec¬ 
tions  to  other  Microsoft  prod¬ 
ucts,  such  as  Commerce  Server 
and  BizTalk  Server. 

Nicholas  Wilkoff,  an  analyst 
at  Forrester  Research  Inc.  in 
Cambridge,  Mass.,  said  that  in¬ 
tegration  will  help  Microsoft 
compete  more  aggressively  in 
the  enterprise  market  against 
competition  such  as  Docu- 


Microsoft  Releases  Content 
Management  Server  Beta 


On  July  31 

■  The  direct  enrollment  period 
for  Microsoft’s  new  Software 
Assurance  program  ends. 

Software  Assurance  entitles  cus¬ 
tomers  to  the  latest  version  of  a 
Microsoft  product.  The  annual 
cost  is  25%  of  the  volume  license 
fee  for  a  server  product  and  29% 
for  a  desktop  product.  In  order  to 
be  eligible,  a  company  must  be 
running  the  most  current  version 
of  the  product.  After  July  31,  a 
company  must  purchase  new 
licenses  in  order  to  be  eligible  for 
Software  Assurance. 


■  Microsoft’s  Version  5 
volume  licensing  program 
ends  and  the  Upgrade  Advantage 
option  will  no  longer  be  available. 
Upgrade  Advantage  entitles  a 
company  to  all  available  upgrades 
of  a  product  and  thereby  “grand¬ 
fathers”  the  company  so  it’s  eligi¬ 
ble  to  move  to  the  new  Software 
Assurance  program. 


mentum  Inc.,  Interwoven  Inc. 
and  Vignette  Corp.  He  added 
that  those  vendors  also  recom¬ 
mend  various  add-on  prod¬ 
ucts,  such  as  Java-based  appli¬ 
cation  servers  and  tools  that 
must  be  purchased  separately. 

“Microsoft  puts  a  lot  of  price 
pressure  on  these  vendors  and 
offers  something  that’s  quicker 
and  easier  to  implement,”  said 
Wilkoff.  But  so  far,  the  compe¬ 
tition  has  landed  more  cus¬ 
tomers  doing  large-scale  de¬ 
ployments  to  date,  he  said. 

Since  acquiring  the  Content 
Management  Server  product 
last  year  when  it  bought  NCom- 
pass  Labs  Inc.  in  Vancouver, 
British  Columbia,  Microsoft 
claims  to  have  substantially  in¬ 
creased  the  number  of  enter¬ 
prisewide  deployments  of  its 
product. 

Jim  Murphy,  an  analyst  at 
AMR  Research  Inc.  in  Bos¬ 
ton,  said  Content  Management 
Server  2001  was  “fairly  light- 
weight”  and  that  Microsoft  won 
deals  largely  based  on  its  mar¬ 
ket  strength  and  viability.  He 
said  the  new  product  brings 
substantial  improvements,  es¬ 
pecially  “demonstrable  Web 
services  capability,”  which  will 
lift  it  “more  to  a  par  with  enter¬ 
prise  competitors.”  I 


Scalable  IP  security  without  breaking  the  bank. 
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Meet  the 
Contivity  1000 
Series. 

How  do  you  harness  the  power  and  reach  of  the 
Internet  in  a  way  that  provides  security  and 
allows  you  to  scale  your  network?  How  do  you 
do  this  without  breaking  your  IT  budget?  Look 
no  further  than  the  Contivity™  1000  family  with 
Secure  Routing  Technology.  The  Contivity  1000 
Serie’s  enables  businesses  to  easily  build  and  manage  large  VPN  networks,  using  dynamic 
routing  protocols  oveT  encrypted  tunnels.  In  addition  to  support  for  dynamic  routing 
(RIP  and  OSPF),  it  comes  fully  loaded  with  remote  access 


VPN,  site-to-site  VPN,  firewall,  QoS  and  bandwidth 


Starting 
under  $1,000 


management.  And  here's  the  good  part  -  mix-and-match 

services.  You  only  buy  the  services  you  need  initially  and  turn  up  the  rest  when  you’re 
ready.  It’s  as  easy  as  turning  on  a  license  key.  No  multiple  boxes.  No  installation  hassles. 
Low  TCO.  The  Contivity  1000  can  be  installed  as  a  stand-alone  IP  access  gateway  (with  5  free 
VPN  tunnels)  or  behind  an  existing  WAN  access  device,  totally  off-loading  all  security 
processing.  For  more  information,  visit  nortelnetworks.com/contivity. 
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BRIEFS 


Business  Objects  to 
Buy  Acta  Technology 

French  software  maker  Business 
Objects  SA  announced  an  agree¬ 
ment  last  week  to  acquire  Acta 
Technology  Inc.  for  close  to  S65 
million,  with  plans  to  join  the  two 
companies’  data  analysis  software 
products.  Acta,  in  Mountain  View, 
Calif.,  sells  software  for  collecting 
and  organizing  data  from  a  variety 
of  systems,  including  enterprise  re¬ 
source  planning  and  customer  rela¬ 
tionship  management  applications. 


Former  Compaq  Exec 
Replaces  EMC  CTO 

EMC  Corp.  said  last  week  that  its 
retiring  chief  technology  officer,  Jim 
Rothnie,  is  being  replaced  by  former 
Compaq  Computer  Corp.  executive 
Mark  Lewis,  who  will  serve  as 
EMC’s  CTO  and  executive  vice  pres¬ 
ident  of  new  ventures.  After  Com¬ 
paq  was  bought  by  Hewlett-Packard 
Co.,  Lewis  was  named  head  of 
worldwide  marketing  and  solutions 
at  Network  Storage  Solutions,  HP’s 
newest  storage  division. 


Short  Takes 

VHA  INC.  and  IBM  signed  a  deal 
that  calls  for  IBM  to  supply  PCs  and 
servers  to  Irving,  Texas-based 
VHA’s  network  of  2,200  health  care 
organizations.  Terms  weren’t  dis¬ 
closed _ Internet  auction  compa¬ 

ny  EBAY  INC.  is  buying  Mountain 
View,  Calif.-based  online  payment 
company  PayPal  Inc.  in  a  stock- 

swap  deal  valued  at  $1.5  billion _ 

Three  security  holes  in  MICROSOFT 
CORP.’S  SQL  Server  and  one  in  an 
encryption  plug-in  made  by  Network 
Associates  Inc.  for  Microsoft’s  Out¬ 
look  e-mail  client  were  patched  by 
the  vendors  last  week. . . .  SAP  AG 
issued  a  warning  that  it’s  reducing 
its  revenue  and  earnings  expecta¬ 
tions  for  its  just-ended  second  quar¬ 
ter - The  U.S.  House  of  Represen¬ 

tatives  Iasi  vftsk  approved  legisla¬ 
tion  requiring  the  NATIONAL  INSTI¬ 
TUTE  Of  STANDARDS  AND  TECH¬ 
NOLOGY  to  de'.'siep  standards  for 
improving  supply  chain  integration. 
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IBM  Hits  Both  Ends 
Of  Storage  Market 


New  Shark  servers  double  performance  of 
predecessor;  NAS  device  aimed  at  low  end 


BY  LUCAS  MEARIAN 

IBM  will  soon  be  offering 
new  low-  and  high-end 
storage  arrays  aimed  at 
challenging  rivals  such 
as  Hitachi  and  Dell  with 
faster  devices  that  provide 
lower  ownership  costs. 

IBM  said  this  week  that  it 
will  soon  release  two  new  ver¬ 


sions  of  its  high-end  TotalStor- 
age  Enterprise  Storage  Server, 
also  known  as  Shark.  The  new 
Shark  Model  800  and  800  Tur¬ 
bo  have,  respectively,  two  and 
two  and  a  half  times  the  perfor¬ 
mance  of  the  current  model 
and  operate  at  2G  bit/sec.  data 
transfer  rates. 

The  Shark  is  available  with  a 


variety  of  options,  including 
15,000  RPM  disk  drives  in  both 
18.2GB  and  36.4GB  capacities, 
and  is  powered  by  new  copper 
microchips.  It  also  has  64GB  of 
internal  cache  and  3.2G  bit/sec. 
internal  bandwidth. 

For  grocer  Royal  Ahold  NV, 
the  new  Shark  server  “signifi¬ 
cantly  increased  the  perfor¬ 
mance”  of  the  company’s  back¬ 
up  and  recovery  process  and 
tripled  its  storage  capacity, 
said  Joe  Giacometti,  senior 
vice  president  of  IT.  Giacomet- 


Itanium  2  Adoption  Expected  to  Be  Slow 


Analysts  say  OS, 
software  needed  to 
inspire  confidence 

BY  JAIKUMAR  VIJAYAN 

Intel  Corp.’s  64-bit  Itanium 
processors  may  ultimately  re¬ 
place  their  RISC  counterparts 
as  the  technology  of  choice  for 
high-end  commercial  server 
hardware.  But  don’t  look  for 
that  to  happen  anytime  soon. 

The  lack  of  an  enterprise- 
tested  64-bit  operating  system 
and  applications  that  can  take 
immediate  advantage  of  Itani¬ 
um  will  mean  a  slow  adoption 
rate,  users  and  analysts  said  in 
the  wake  of  last  week’s  intro¬ 
duction  of  the  second-genera¬ 
tion  Itanium-2  chip. 

Intel  itself  said  it  doesn’t  ex¬ 
pect  differently.  “This  is  not 
something  we  expect  will 
ramp  up  overnight,”  said  Bar¬ 
bara  Grimes,  an  Intel  spokes¬ 
woman.  “We  are  looking  at  this 
as  the  processor  technology 
for  the  next  20  years.” 

Itanium  has  already  begun 
delivering  on  some  of  its 
promise  as  a  viable  alternative 
to  more  expensive  RISC  boxes 
from  vendors  such  as  IBM  and 
Sun  Microsystems  Inc. 

The  National  Center  for  Su¬ 
percomputing  Applications 


(NCSA)  at  the  University  of 
Illinois  at  Urbana-Champaign 
is  using  Itanium  technology  to 
build  a  Linux  cluster  with  13.6 
trillion  floating-point  opera¬ 
tions  per  second  for  scientific 
research  purposes. 

“We’ve  been  very  pleased 
with  the  performance  we’ve 
seen  so  far,”  said  Dan  Reed,  di¬ 
rector  of  NCSA.  “It’s  competi¬ 
tive  with  what  we’ve  seen  on 
. . .  RISC-based  systems.” 

Big  Improvement 

Based  on  early  benchmarks, 
Itanium  2  delivers  far  more 
power  and  sophistication  than 
the  disappointing  first  version 
of  the  chip  introduced  in  June 
of  last  year,  analysts  said. 

“The  improvement  in  per¬ 
formance,  at  least  from  bench¬ 
marking  tests,  suggests  that  In¬ 
tel  was  listening  pretty  closely 
to  the  concerns  and  reserva¬ 
tions  that  customers  and  ven¬ 
dors  had  to  the  first-generation 
product,”  said  Charles  King,  an 
analyst  at  The  Sageza  Group 
Inc.  in  Mountain  View,  Calif. 

But  more  pieces  have  to  fall 
into  place  for  users  to  be  able 
to  migrate  commercial  appli¬ 
cations  to  Itanium  with  confi¬ 
dence,  said  Sarang  Ghatpande, 
an  analyst  at  D.H.  Brown  Asso¬ 
ciates  Inc.  in  Port  Chester  N.Y. 

The  biggest  piece  needed  is 


a  fully  tested,  production- 
ready  64-bit  operating  system 
that  can  take  advantage  of  Ita¬ 
nium  hardware,  he  said.  Sever¬ 
al  operating  systems  are  avail¬ 
able  for  Itanium,  including 
Windows  Advanced  Server 
Limited  Edition,  Windows  XP 
64-Bit  Edition,  HP-UX  and 
versions  of  Linux  from  Caldera 
International  Inc.  and  Red  Hat 
Inc.  But  most  of  these  are  real¬ 
ly  first  versions  that  are  unlike¬ 
ly  to  inspire  much  confidence 
among  enterprise  users,  said 
Ghatpande. 

It’s  the  same  story  on  the  ap¬ 
plication  software  side.  Major 
vendors  are  porting  their  soft¬ 
ware  to  Itanium  2  —  as  IBM  is 
doing  with  DB2  and  Web¬ 
Sphere,  Oracle  Corp.  with  its  9i 
database  technology,  and  BEA 
Systems  Inc.  with  WebLogic. 
But  here,  too,  the  applications 
are  first  versions  and  remain 
untested  on  Itanium. 

Until  the  software  matures, 
commercial  users  are  unlikely 
to  use  Itanium  for  anything 
more  than  development  and 
testing  purposes,  especially  in 
a  tight  economy,  King  said.  I 
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ti  also  said  the  new  Shark  re¬ 
duced  the  cost  of  managing  in¬ 
formation  by  $50  per  gigabyte. 

The  800  and  the  800  Turbo, 
which  carries  two  additional 
processors,  come  with  Project 
eLiza  self-management  fea¬ 
tures  that  enable  real-time 
configuration  and  manage¬ 
ment  capabilities. 

Mike  Kahn,  president  and 
CEO  of  The  Clipper  Group 
Inc.  in  Wellesley,  Mass.,  said 
that  with  the  new  Shark  mod¬ 
els,  IBM  has  caught  up  with  the 
speed  of  Hitachi  Data  Systems 
Corp.’s  Freedom  Storage  Light¬ 
ning  9900  enterprise  array. 
“The  disks  essentially  get  you 
the  data  faster,  and  these  new 
engines  allow  you  to  move  it 
faster,”  Kahn  said. 

The  800  will  be  generally 
available  Aug.  16;  pricing  will 
depend  on  the  configuration, 
which  can  support  RAID-10 
data  mirroring  and  striping  for 
performance-sensitive  appli¬ 
cations,  such  as  online  transac¬ 
tion  processing  and  Oracle 
databases. 

IBM  last  week  also  an¬ 
nounced  a  pizza-box-size  net¬ 
work-attached  storage  (NAS) 
device  aimed  at  low  and  mid¬ 
market  uses,  such  as  local  stor¬ 
age  for  distributed  offices.  The 
TotalStorage  NAS  100  array, 
which  has  a  list  price  of  $4,420, 
is  the  third  NAS  product  IBM 
has  released  in  the  past  three 
years.  IBM  has  used  the  same 
software  management  applica¬ 
tions  in  each.  I 

IBM’s  Faster, 
Smarter  Sharks 

Additional  software  and 
processors  and  faster  disk 
drives  give  the  new  Sharks: 

■  26  bit/sec.  data  transfer  rates 

■  Two  and  two  and  a  half  times  the 
performance  of  the  current  model 

■  64GB  internal  cache  and 
3.26  bit/sec.  internal  bandwidth 

■  RAID-10  data  mirroring  and 
striping 

■  Project  eLiza  software  self-man¬ 
agement  features 

■  15,000  RPM  disk  drives  in 
18.26B  and  36.46B  capacities 
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5  cool  things  to  do  while  you  wait  for  a  disaster  to  hit  your  company. 


1.  Test  new  applications. 

2.  Deploy  new  applications. 

3.  Shorten  backup  windows. 

4.  Refresh  data  warehouses. 

5.  Take  a  whole  hour  for  lunch. 
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Nasdaq  Ready  to  Launch 
$107M  Stock  Trade  System 

Technology  represents  bandwidth  doubling 


BY  LUCAS  MEARIAN 

FTER  SPENDING 
three  years  and 
$107  million  on  a 
project  that  in¬ 
cluded  the  instal¬ 
lation  of  more  than  200 
servers,  Nasdaq  Stock  Market 
Inc.  last  week  said  it’s  prepared 
to  launch  its  SuperMontage 
electronic  order  display  and 
execution  system  on  July  29. 

SuperMontage,  which  is  a 
real-time,  fully  integrated  or¬ 
der  display  and  execution  sys¬ 
tem,  was  built  in  response  to 
issues  such  as  decimalization 
(for  the  switch-over  from  re¬ 
porting  prices  in  fractions)  and 
increased  trade  volume. 

“This  should  reduce  intra¬ 
day  volatility  through  more  in¬ 
formation,  liquidity  and 
depth,”  said  Nasdaq  President 
Richard  Ketchum. 

The  backbone  of  Nasdaq’s 
telecommunications  will  be 
managed  by  WorldCom  Inc. 
and  connect  1,000  trade  loca¬ 
tions  across  the  country  to  a 
main  data  center  in  Connecti¬ 
cut  and  a  backup  site  in  Mary¬ 
land.  Addressing  WorldCom’s 
ongoing  financial  problems, 
Nasdaq  CIO  Steve  Randich 
said  the  network  is  “separate 
and  distinct . . .  and  the  World¬ 
Com  employees  are  dedicated 
to  the  account.” 

“We’re  confident  WorldCom 
will  be  our  provider  for  the 
next  several  years,”  he  added. 

Test  Stocks 

Nasdaq  plans  to  open  Super¬ 
Montage  with  a  few  test  stocks 
and  th  i  inclu de  about  10  addi- 
t tonal  stocks  every  week  there¬ 
to-  Ketchum  said  he  to  list 
New  York  Stock  Exchange  se¬ 
curities,  but  he  had  no  definite 
timeline  for  that. 

Jim  Van  Dyke,  an  analyst  at 
Javelin  Strategy  and  Research 
Inc.  in  Pleasanton,  Calif.,  said 
the  adoption  of  SuperMontage 
by  securities  linns  shouldn’t 


be  affected  by  the  current  eco¬ 
nomic  slowdown.  In  fact,  he 
noted  that  rollouts  are  easier 
when  activity  level  is  low. 

Nasdaq’s  current  order  dis¬ 
play  system,  SuperSOES,  will 
be  used  for  transactions  of  few¬ 
er  than  1  million  shares  until  all 
securities  have  transferred  to 
SuperMontage.  SuperSOES  dis¬ 
plays  the  best  proposed  pur- 


Condnued  from  page  1 

WorldCom 

bility  issue,”  said  Brunetto. 
“But  now  it  doesn’t  look  like 
anything  is  stable.” 

The  WorldCom  mess  has  be¬ 
come  a  bad  dream  for  many  in 
IT.  None  of  the  IT  and  tele¬ 
communications  managers  in¬ 
terviewed  for  this  article  said 
that  they  seriously  believe  that 
WorldCom’s  service  is  going  to 
be  switched  off,  because  it’s 
too  vital.  But  they  also  noted 
that  they  have  no  choice  but  to 


WASHINGTON 

WorldCom  is  a  daily  topic  at  Ryder 
System  Inc.  The  telecommunica¬ 
tions  company’s  performance  is 
closely  monitored,  and  once  a 
week  a  WorldCom  official  touches 
base  to  make  sure  everything  is 
OK.  That’s  what  CIO  Eduardo  Vital 
wants. 

Ryder,  a  Miami-based  trans¬ 
portation  and  logistics  company 
with  30,000  employees  world¬ 
wide  and  1,000  locations  in  North 
America,  is  a  big  WorldCom  cus¬ 
tomer.  WorldCom  provides  close 
to  80%  of  Ryder’s  data  and  voice 
services.  When  WorldCom's  prob¬ 
lems  surfaced,  Vital  immediately 
contacted  the  firm  to  make 
arrangements  to  ensure  uninter¬ 
rupted  service  delivery.  It  was 


chase  and  selling  prices  for  a 
stock,  as  well  as  who  is  partici¬ 
pating  in  the  market  for  that 
stock  and  each  issue’s  most  re¬ 
cent  transaction.  In  contrast, 
SuperMontage  will  aggregate 
the  top  five  proposed  purchase 
and  selling  prices  for  a  stock, 
giving  traders  more  access  to 
possible  trades  and  increased 
transparency,  said  Adena  Fried¬ 
man,  Nasdaq’s  executive  vice 
president  of  data  products. 

“It  shows  if  there  are  a  lot  of 
people  interested  in  buying  or 
selling  a  particular  stock  out 
there,”  Friedman  said. 

Randich  said  the  technology 
behind  SuperMontage  repre¬ 
sents  a  doubling  of  Nasdaq’s 
network  bandwidth  and  offers 


consider  “what  if”  scenarios. 

Gary  Rosenberg,  telecom¬ 
munications  manager  at  Nor- 
tek  Inc.,  a  manufacturer  of 
building  products  in  Provi¬ 
dence,  R.I.,  relies  on  World¬ 
Com  for  voice  and  data. 

Rosenberg  is  a  42-year  tele¬ 
com  veteran,  but  WorldCom’s 
problems  are  prompting  him 
to  think  in  new  ways.  He’s  talk¬ 
ing  with  vendors  about  provid¬ 
ing  a  standby  service  —  having 
lines  in  place  and  ready  to  go  if 
WorldCom  fails. 

But  having  seven  T1  backup 
lines  in  just  one  facility  could 
cost  $100,000  a  month,  said 


agreed  that  each  week  a  senior 
account  representative  from 
WorldCom  would  contact  Vital’s 
operations  director  to  discuss  sys¬ 
tems  performance. 

WorldCom  has  “not  neglected 
on  providing  services  that  they 
contracted  to  us,  and  I’m  comfort¬ 
able  there,”  Vital  said. 

Ryder  renewed  its  contract  just 
two  months  before  WorldCom’s 
financial  problems  were  dis¬ 
closed.  But  Vital  said  his  company 
continues  to  have  a  good  working 
relationship  with  the  vendor,  and 
he  believes  that  the  WorldCom 
officials  he  dealt  with  were  un¬ 
aware  of  the  financial  problems. 

“I  have  no  reason  to  doubt  their 
honesty,”  he  said. 

-  Patrick  Thibodeau 


How  Ryder  Deals  With  WorldCom 


Why  It’s  Better 


SuperMontage  offers 
improvements  over  Nas¬ 
daq’s  SelectNet  and  Super¬ 
SOES.  For  instance,  it  will: 

■  Provide  a  fully  integrated 
order  display  and  execution 
system. 

«  .*  •  «  *•*>  »•«<*«•#'#  #.  #  «  «  «  a 

■  Display  the  top  five  bids 
and  offers  rather  than  just 
the  single  top  bid. 
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■  Deliver  the  information  in 
real  time. 
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■  Offer  pretrade  anonymity. 
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■  Handle  more  orders,  more 
quickly. 


more  scalability  for  adding 
servers  and  processors.  He 
said  SuperMontage’s  process¬ 
ing  ability  is  nearing  5,000 
transactions  per  second. 

SuperMontage’s  back-end 
systems  consist  of  22  Stratus 
Computer  Corp.  Continuum 
Series  400  servers,  165  Dell 
servers  running  Windows 
2000  to  support  new  electron¬ 
ic  products  and  surveillance 
software,  and  24  Hewlett- 
Packard  Co.  NonStop  S86000 
servers  with  16  processors 
each.  Randich  said  Nasdaq  will 
be  the  first  commercial  cus¬ 
tomer  to  deploy  HP’s  newest 
high-end  server  and  added  that 
it  has  performed  well  in  pro¬ 
cessing  performance  tests,  t 


Rosenberg.  The  cost  is  high  be¬ 
cause  the  vendors  don’t  have 
pricing  mechanisms  for  run¬ 
ning  lines  that  aren’t  also  car¬ 
rying  revenue-generating  voice 
and  data  traffic,  he  said.  Rosen¬ 
berg  counters  by  telling  ven¬ 
dors  that  providing  an  afford¬ 
able  standby  service  could  give 
them  a  leg  up  once  telecom¬ 
munications  contracts  are  re¬ 
bid.  Negotiations  are  continu¬ 
ing,  he  said. 

WorldCom’s  problems  are 
also  a  slap  in  the  face  to  IT 
managers  who  review  a  ven¬ 
dor’s  financial  statements  as 
part  of  a  contracting  process. 
For  15  months,  WorldCom  al¬ 
legedly  inflated  its  earnings  by 
nearly  $4  billion. 


Due  diligence  “just  goes  out 
the  window  if  audited  financial 
statements  are  not  to  be  be¬ 
lieved,”  said  Andy  Fisk,  IT 
manager  at  the  Tribune-Re¬ 
view  Publishing  Co.,  a  Greens- 
burg,  Pa.-based  newspaper 
chain. 

Fisk  has  contacted  other  car¬ 
riers  to  provide  backup  for  his 
WorldCom  services.  But  like 
other  IT  managers,  he  doesn’t 
want  to  change  providers  “on 
the  off  chance  they  [World¬ 
Com]  are  going  to  go  away,”  he 
said.  But,  Fisk  added,  “on  the 
other  hand.  I’d  hate  to  find  out 
that  they’ve  gone  away  and  left 
us  high  and  dry.” 

One  person  who  has  experi¬ 
enced  a  telecommunications 


User  Angst 

IT  MANAGERS  ARE 
CONSIDERING  POTENTIAL 
WORLDCOM  FALLOUT: 

DIVERSIFICATION 

Telecommunications  providers 
price  their  services  to  win  an  en¬ 
terprise’s  entire  business.  The  big¬ 
ger  the  volume,  the  lower  the  cost. 
But  users  will  likely  find  having 
one  provider  unacceptable. 

SHORTER  CONTRACTS 

One-year  contracts  are  more  like¬ 
ly,  to  allow  flexibility  to  respond  to 
pricing  changes  and  provider 
problems. 

COMPETITION  WORRIES 

If  key  parts  of  WorldCom  are 
sold  off,  competition  could 
narrow,  raising  prices. 

failure  firsthand  is  Brian  Voss, 
vice  president  of  telecommu¬ 
nications  at  Indiana  Universi¬ 
ty,  a  96,000-student  institution 
in  Bloomington. 

The  university  was  using 
services  from  Teleglobe  Inc.  in 
Reston,  Va.,  when  it  filed  for 
bankruptcy  protection  in  May. 
Indiana  University  relied  on 
Teleglobe  to  provide  one  of 
two  high-speed  circuits  con¬ 
necting  the  university  to  an 
Asia-Pacific  high-performance 
research  network. 

“Our  circuit  went  off,”  said 
Voss.  “I  think  what  we  learned 
from  that  experience  is  that 
it’s  probably  good  to  be  diver¬ 
sified.”  I 
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Burger  King  Upgrades  to  mySAP.com 

Fast-food  industry  standardizes  apps 


BY  MARC  L.  SONGINI 

Burger  King  Corp.  is  serving 
an  upgrade  of  SAP  AG’s  busi¬ 
ness  applications  to  its  end 
users.  It’s  one  of  a  small  but 
growing  number  of  fast-food 
companies  that  are  standardiz¬ 
ing  their  systems  on  packaged 
enterprise  resource  planning 
(ERP)  applications. 

The  Miami-based  company 
last  month  upgraded  its  instal¬ 
lation  of  SAP’s  R/3  human  re¬ 
sources  and  finance  applica¬ 
tions  to  Version  4.6c.  That  sets 
the  stage  for  future  phases  of 
the  upgrade  of  Burger  King’s 
SAP  R/3  ERP  application  to 
the  mySAP.com  suite. 

During  the  next  year,  the 


company  also  plans  to  turn  on 
treasury,  real  estate,  budget 
management  and  self-service 
human  resources  applications 
as  part  of  the  migration,  ac¬ 
cording  to  Rafael  Sanchez, 
Burger  King’s  CIO. 

For  Burger  King,  the  big  ap¬ 
peal  of  mySAP  is  the  software’s 
integration  capabilities  and 
technical  maturation,  accord¬ 
ing  to  Sanchez. 

Between  60%  and  70%  of  the 
custom  modifications  in  SAP’s 
earlier  finance  and  human  re¬ 
sources  releases  will  be  re¬ 
placed  by  mySAP  functionali¬ 
ty,  he  said.  In  addition,  the  real 
estate  management  applica¬ 
tion  will  replace  a  custom  ap¬ 


plication  written  in  SAP’s 
ABAP  programming  language, 
Sanchez  said. 

In  general,  companies  in  in¬ 
dustries  such  as  fast  food  and 
retail  have  been  slower  to 
adopt  ERP  technology  than 
manufacturers,  said  Peter 
Abell,  an  analyst  at  Boston- 
based  AMR  Research  Inc. 

Rollout  Challenges 

Some  companies  are  hesi¬ 
tant  to  change  because  they 
face  considerable  rollout  chal¬ 
lenges,  especially  if  their  cor¬ 
porate  IT  systems  are  linked  to 
individual  stores  or  franchises 
that  have  workers  who  are  rel¬ 
atively  unfamiliar  with  tech¬ 
nology,  Abell  said. 

But  Burger  King  isn’t  alone 
in  turning  to  a  third  party. 


ERP  Drive-through 

BURGER  KING'S  MYSAPC0M 
ROLLOUT  PLAN  INCLUDES  THE 
FOLLOWING  APPLICATIONS: 

Live  as  of  last  month: 

■R/3  4.6c  finance  and  human 
resources  modules 


Expanded  functionality  due  to 
be  added  within  the  next  year: 

■Real  estate  management 
capabilities 

■Treasury  management,  which 
handles  liquidity,  currency 
issues  and  investment  portfolios 
■Self-service  human  resources 
tools  for  use  by  employees 

Chick-fil-A  Inc.,  an  Atlanta- 
based  chain,  ties  its  1,000 
restaurants  in  34  states  to  its 
data  center’s  core  ERP  system 
via  a  virtual  private  network. 


The  data  center  uses  Oracle  Fi¬ 
nancials  to  aggregate  sales  and 
daily  business  data,  said  Mark 
Brackett,  director  of  informa¬ 
tion  systems  at  Chick-fil-A. 

Chick-fil-A  also  plans  to  add 
Oracle  Internet  Expenses  to 
the  ERP  system  within  the  next 
month. 

Last  August,  Chick-fil-A  up¬ 
graded  to  Oracle’s  E-Business 
Suite  lli  from  Version  10.7.  It  in¬ 
stalled  human  resources,  fi¬ 
nancials  and  payroll  applica¬ 
tions  and  added  receivables, 
cash  management  and  order 
management  software. 

Brackett  said  the  Oracle 
suite,  which  runs  on  HP-UX 
servers,  has  helped  Chick-fil-A 
automate  its  accounting  sys¬ 
tem,  making  it  possible  for  the 
company  to  open  new  stores 
without  having  to  add  a  com¬ 
mensurate  number  of  IT  em¬ 
ployees  to  support  them.  I 


For  a  FREE  30-day 
fully-functional  eval, 

call  toll-free:  1.800.TRIPWIRE 
(874.7947)  or  visit 
http://enterprise.tripwire.com 

today! 
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Tripwire  is  The  Data  Integrity  Assurance  Company 


Tripwire®  establishes  a  baseline  of  data  in  its  known  good 
state,  monitors  and  reports  any  changes  to  that  baseline, 
and  enables  rapid  discovery  and  recovery  when  an 
undesired  change  occurs. 

Foundation  for  Data  Security 

■  Ensure  the  integrity  of  your  data 

■  Instant  assessment  of  system  state,  reporting 
“integrity  drifts" 

Maximize  System  Uptime 

fl  Eliminate  risk  and  uncertainty 

■  Enable  quick  restoration  to  a  desired  state 


Increase  Control  and  Stability 

■  Ongoing  monitoring  and  reporting 

Lower  Costs 

■  Find  and  fix  problems  quickly  and  precisely  - 
no  more  guess  work 

Your  firewalls  and  intrusion  detection  tools  alone  are 
not  enough  to  keep  systems  trustworthy.  Tripwire’s  data 
integrity  assurance  products  are  the  only  way  to  know 
with  100%  confidence  that  your  data  remains  uncompro¬ 
mised.  For  nearly  10  years  Tripwire  has  been  helping  IT 
professionals  know  exactly  what's  changed  on  their 
systems,  and  helping  them  to  recover  quickly. 


©  Copyright  2002.  Tripwire  and  the  Tripwire  logo  are  registered  trademarks  of  Tripwire,  Inc. 
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The  first  complete  enterprise  wiring  closet,  LAN  core,  and  data  center  solution. 

Foundry  Networks’  Fastlron  Layer  2/3  switches  let  you  deploy  a  single  architecture 
enterprise-wide  that  yields  higher  performance,  better  ROI,and  lower  Total  Cost 
of  Ownership.  Fastlrons  have  unparalleled  port  density:  up  to  672  10/100  ports,  232  Gigabit  Ethernet 
ports,  or  14  10-Gigabit  Ethernet  ports  in  a  single  modular  system.  Featuring  sFlow,  Fastlron  switches 
provide  wire-speed  network  monitoring.  Plus  the  Fastlrons  offer  superior  QoS  and  multicast  capabil¬ 
ities,  wire-speed  bandwidth  management,  and  IronShield  security.  Learn  more  about  Fastlron  today  at: 
1.888.TURBOLAN  (887-2652)  or  www.foundrynetworks.com/fi. 
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MARYFRAN  JOHNSON 


Wireless  Wake-up  Call 


CAN’T  DECIDE  WHAT  amazes  me  more 
about  the  slow-motion  security  crisis  un¬ 
folding  around  wireless  LANs.  Is  it  the  clue¬ 
lessness  of  users  who  —  by  the  thousands  — 
are  installing  unsecured  “rogue”  wireless 


access  points  (AP)  inside 
their  company  networks? 

Or  is  it  the  stubborn  re¬ 
fusal  (or  just  plain  inabil¬ 
ity)  of  so  many  IT  de¬ 
partments  to  deal  effec¬ 
tively  with  the  problem? 

Either  way,  this  train 
wreck  is  heading  for  a  sta¬ 
tion  near  you.  When  bad 
things  happen  to  good 
corporate  data,  IT  man¬ 
agement  gets  blamed.  And 
wireless  networks  are  the 
security  equivalents  of  Swiss  cheese. 

Unfortunately,  those  clueless  users 
are  driving  this  train.  In  the  past  two 
years,  more  than  12  million  wireless 
LAN  cards  and  APs  were  sold.  Users 
are  the  unstoppable  force  behind  this 
third  wave  of  uninvited  technologies 
invading  the  corporate  IT  space.  First 
came  PCs,  then  Web  browsers.  Now 
it’s  wireless  access  points. 

Over  the  past  several  months, 
we’ve  written  many  stories  about 
wireless  network  vulnerabilities  un¬ 
covered  at  major  airlines,  name¬ 
brand  retailers  and  government 
agencies  that  ought  to  know  better. 

In  nearly  every  case,  the  standard 
defense  was  to  claim  that  the  breach 
didn’t  really  matter  because  the  ex¬ 
posed  data  wasn’t  “sensitive”  or  pro¬ 
prietary.  Bzzzt!  Wrong  answer. 

The  real  danger  of  APs,  security 
experts  point  out,  lies  in  the  unwel¬ 
come  access  to  your  internal  net¬ 
works  and  how  much  an  intruder 
can  learn  about  your  systems.  “Once 
you’re  sitting  on  a  corporate  net¬ 
work,  you  can  gain  universal  net- 
work-level  access  and  talk  to  any  ma¬ 
chine,”  says  Eric  Schnack,  chief  oper¬ 
ating  officer  at  Palisade  Systems,  a 
security  vendor  in  Ames,  Iowa,  that 
specializes  in  protecting  network- 


MARYFRAN  JOHNSON  is 

editor  in  chief  of  Comput- 
erworld.  You  can  contact 

her  at  maryfranjohnson® 
computerworld.com. 


level  access.  “You  don’t 
want  random  people  in¬ 
side  your  network,  send¬ 
ing  arbitrary  traffic  to  a 
mission-critical  server  or 
bombarding  the  ERP 
server  with  traffic,”  adds 
Sandeep  Singhal,  CTO  at 
security  infrastructure 
vendor  ReefEdge  in  Fort 
Lee,  N.J. 

So,  what  are  you  doing 
about  it?  Worrying,  most¬ 
ly.  In  this  week’s  issue 
and  on  our  Web  site,  we’ve  pub¬ 
lished  the  results  of  our  wireless 
LAN  security  survey  of  159  IT  pro¬ 
fessionals  —  nearly  half  of  whom 
confessed  to  having  no  confidence  in 
their  own  wireless  security.  Some 
46.5%  haven’t  written  any  policies 
forbidding  employees  from  installing 
them  in  the  first  place. 

So,  what  should  you  be  doing  in¬ 
stead  of  just  worrying?  We  offer 
plenty  of  ideas  from  your  peers  in 


“The  Security  Action  Plan,”  starting 
on  page  23  and  online  [QuickLink: 
kl600].  But  here’s  a  short  wireless 
security  to-do  list: 

■  Be  the  bad  cop.  Insist  that  IT 
maintain  total  control  of  all  wireless 
LAN  access,  and  implement  policies 
that  make  network  lawbreakers  eligi¬ 
ble  for  immediate  termination. 

■  Make  sure  all  wireless  network 
cards  and  base  stations  are  registered 
and  secured,  and  upgrade  everything 
to  128-bit  session  encryption. 

■  Investigate  the  myriad  wireless 
security  products  arriving  in  an  in¬ 
creasingly  competitive  market. 

■  Require  the  use  of  a  VPN  to  ac¬ 
cess  critical  resources. 

■  Enforce  periodic  reauthentica¬ 
tion  for  all  users,  and  restrict  LAN 
access  rights  by  job  role. 

■  Scan  and  sniff  internal  networks 
regularly  to  ferret  out  rogue  APs. 

Most  important,  accept  that  wire¬ 
less  networks  are  the  Borg  and  that 
resistance  is  indeed  futile.  Aggres¬ 
sively  manage  the  problem  now.  This 
is  one  wake-up  call  you  can’t  afford 
to  sleep  through.  I 

FIXING  VULNERABILITIES 

The  CTO  at  ReefEdge  lists  10  ways  to  plug  the  holes  in 
your  wireless  network. 

O  QuickLink:  31267 
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PIMM  FOX 

The  Unseen 

Risks  of  rr 

Outsourcing 

Ever  wonder  how,  if 
something  isn’t  good  for 
you,  it  can  be  good  for 
someone  else? 

The  buzz  is  that  IT  outsourcing  is  a 
win-win  situation.  Large  enterprises 
place  the  burden  of  maintaining,  ser¬ 
vicing  and  upgrading  IT  operations 
onto  a  third  party,  which  in  turn  makes 
nice  profits  through  economies  of 
scale.  But  the  recent  debacle  at  World¬ 
Com  has  brought  to  light  questionable 
accounting  practices  at  its  IT  provider, 
EDS,  and  casts  doubt  on  the  financial 
arrangements  that  have  made  IT  out¬ 
sourcing  agreements  viable. 

Because  most 
IT  outsourcing 
deals  demand 
high  upfront 
costs  for  equip¬ 
ment,  network 
connectivity  and 
personnel,  the 
initial  years  of  an 
engagement  can 
mean  huge  loss¬ 
es  for  the  IT 
provider.  To  mit¬ 
igate  this  prob¬ 
lem,  EDS  chose,  in  the  case  of  its  $6.4 
billion,  11-year  contract  with  World¬ 
Com,  to  employ  percentage-of-com- 
pletion  accounting.  That  let  EDS  grow 
rapidly  by  booking  some  revenue  be¬ 
fore  it  was  billed.  It  also  let  it  spread 
over  several  years  some  of  the  expens¬ 
es  of  setting  up  the  IT  infrastructure. 

But  the  recent  accounting  scandals 
bring  into  question  whether  this 
method  is  a  good  way  to  analyze  a 
company’s  financial  performance.  Be¬ 
sides  making  it  difficult  to  figure  out 
whether  a  particular  contract  is  prof¬ 
itable,  it  places  a  huge  amount  of  risk 
at  the  door  of  the  outsourcing  firm. 
And  you  have  to  wonder  whether  you 
can  depend  on  your  outsourcer. 

How  much  longer  can  this  last? 

EDS  pulled  out  of  the  bidding  on  an 
IT  outsourcing  contract  for  Procter  & 
Gamble  worth  almost  $1  billion  per 
year,  citing  too  much  risk  in  taking 

For  more  columnists  and  links  to  archives  of  previous 
columns,  go  to 
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over  a  majority  of  the  consumer  prod¬ 
ucts  giant’s  back-office  operations. 

Is  this  a  warning  shot  for  a  review  of 
IT  outsourcing  relationships?  Out¬ 
sourcing  has  been  touted  as  an  effi¬ 
cient  way  for  companies  to  focus  on 
what  they  do  best  while  palming  off 
the  IT  drudgery  to  someone  else.  But 
we’re  learning  that  the  drudgery 
comes  with  some  high  costs  and  might 
not  be  so  profitable  for  third  parties 
without  some  financial  maneuvers. 

At  the  very  least,  the  scandal  should 
refocus  the  debate  on  whether  IT  ex¬ 
pertise  ought  to  be  a  genuine  cost,  built 
into  the  routine  of  running  a  business, 
and  whether  you  can  be  immunized 
from  the  risks  of  maintaining  an  IT  in¬ 
frastructure  just  by  signing  a  contract. 

With  uncertainty  surrounding  the  ac¬ 
curacy  of  financial  reporting,  it’s  imper¬ 
ative  that  you  know  the  risks  your  po¬ 
tential  IT  outsourcing  firms  have  in¬ 
curred.  Ask  who  their  largest  customers 
are,  learn  how  they  plan  to  account  for 
your  business,  and  check  if  they’re  mak¬ 
ing  money  from  their  contracts.  That’s 
the  only  way  to  verify  that  win-win  is 
more  than  a  marketing  slogan.  ft 

DAN  GILLMOR 

Users  Must 
Beware  of 
Legal  Trends 

THE  IT  USER  communi¬ 
ty  has  never  thought  of 
itself  as  making  laws, 
except  to  the  extent  of  setting 

down  rules  inside  the  enterprise.  This 
is  a  natural  consequence  of  doing  a 
particular  job. 

Maybe  it’s  time  to  think  more  broad¬ 
ly.  The  way  you  do  your  job  is  going  to 
have  more  impact  on  society  at  large 
than  you  may  want  to  know. 

Recently,  some  top  minds  in  law  and 
technology  assembled  at  the  Berkman 
Center  for  Internet  &  Society  at  Har¬ 
vard  Law  School.  One  was  Lawrence 
Lessig,  the  Stanford  University  law 
professor  who  said,  persuasively,  that 
the  future  is  bleak  unless  people  step 
up  to  some  serious  issues.  The  forces 
of  absolute  control  are  on  the  verge  of 
deciding  what  kind  of  creativity  and 
innovation  will  be  allowed,  and  as  a  re¬ 
sult,  they’re  damping  down  progress. 

Lessig’s  key  insight  is  that  code,  the 
zeroes  and  ones,  can  become  law.  I T 
writes,  buys,  licenses  and  uses  soft¬ 


ware;  code,  interrelating 
with  other  forces,  becomes 
one  of  the  governing  influ¬ 
ences  on  our  lives,  just  as 
the  location  of  a  road 
changes  a  community  or  the 
absence  of  a  ramp  keeps  out 
people  in  wheelchairs. 

Societal  norms  and  the 
law  say  you  can  buy  a  music 
recording  and  make  a  copy 
to  play  in  my  car.  You  can 
buy  a  book  and  give  it  to 
your  child.  But  in  the  age  of 
digital  content,  the  owners 
of  the  copyrights  say  these  uses  are  a 
bug,  not  a  feature. 

So  they  write  code  that  gives  them 
utter  control  over  how  copyrighted 
material  —  or,  in  some  cases,  even  ma¬ 
terial  in  the  public  domain  —  may  be 
used.  Using  code,  they  forbid  those 
formerly  legal  and  customary  uses. 

Because  the  owners  are  well  orga¬ 
nized  and  financed,  they  have  bought 


political  support.  Recent 
laws  make  it  illegal  to  cir¬ 
cumvent  the  code  they’ve 
used  to  decimate  old  law 
and  tradition.  And  a  few 
big  companies,  paranoid 
and  stuck  with  outdated 
business  models,  effective¬ 
ly  get  to  determine  the  pa¬ 
rameters  of  creativity. 

The  patent  system  has 
also  run  amok.  Software 
and  business-process 
patents  are  a  clear  and  pre¬ 
sent  threat  to  innovation. 

If  you  use  open-source  software  in 
your  business,  either  because  it  works 
well  or  is  a  way  to  keep  proprietary- 
software  companies  from  owning  you 
(or  both),  beware  patents.  At  the  Har¬ 
vard  event,  a  manager  of  Microsoft’s 
“shared-source”  program,  in  which 
customers  can  look  at  Windows  source 
code  under  restricted  conditions,  re¬ 
peatedly  didn’t  answer  when  asked  if 


Microsoft  intended,  as  a  senior  execu¬ 
tive  has  openly  threatened,  to  use  its 
growing  patent  portfolio  against  open- 
source  programmers. 

IT  needs  to  consider  its  own  needs 
and  consequences.  Many  of  you  are 
telling  Microsoft  you  want  locked- 
down  PCs  —  far  more  so  than  today’s 
models  —  that  can  do  only  what  sys¬ 
tems  administrators  allow  them  to  do. 
This,  after  all,  can  ensure  adherence  to 
corporate  information  policies  and, 
perhaps,  boost  security. 

Bake  this  into  the  operating  system, 
and  you’ve  solved  one  problem.  But 
you’ve  helped  spawn  a  new  monster,  a 
regime  in  which  Microsoft  and  its  new 
allies  in  Hollywood  and  government 
become  arbiters  of  far  more  than  they 
already  control  today. 

It’s  a  world  where  end  users  —  and 
technology  innovators,  including  IT  — 
will  need  permission  to  do  what’s  al¬ 
ready  legal  and  critical  to  lives  and 
businesses.  Is  that  what  you  want?  ft 


READERS' LETTERS 


Open  Source  Is  Imperfect 

Nicholas  petreley’s 
column  “Open 
Source’s  Open 
Door”  [QuickLink:  30847] 
fails  to  recognize  several 
facts.  First,  if  a  vendor 
changes  source  code  to  cor¬ 
rect  a  security  hole,  it’s  re¬ 
sponsible  for  any  problems 
created  by  that  change.  Sec¬ 
ond,  in-house  modification 
requires  considerable  re¬ 
sources  to  maintain  and 
document  code  changes. 
Third,  while  open  source 
isn’t  attacked  as  often  as  Mi¬ 
crosoft  systems,  that  will 
change  when  it  becomes  as 
common  as  Microsoft  prod¬ 
ucts.  Finally,  open  source’s 
very  nature  provides  an 
open  door  for  those  seeking 
to  exploit  its  weaknesses. 
Alan  Mercer 
Baltimore 


Do  you  truly  believe 
Microsoft  is  pushing 
Palladium  for  user 
security  [QuickLink:  31000]? 
Absolutely  not.  It  wants  to 
be  sure  that  every  machine 
can  run  only  Windows  and 
that  every  copy  of  Windows 


is  “genuine.”  The  benefits  to 
consumers,  if  any,  will  be  in¬ 
consequential.  The  true  ben¬ 
eficiaries  will  be  groups  that 
desire  to  limit  the  way  we 
use  our  computers.  I  used  to 
think  Microsoft  was  the 
best,  but  my  freedom  to  use 
what  I  purchase  in  the  way 
that  I  want  without  permis¬ 
sion  or  activation  is  more 
important  than  jumping  on 
the  bandwagon  and  support¬ 
ing  the  only  game  in  town. 
Vic  Russell 
IT  specifier 

Medina  County  Building  Dept. 
Medina,  Ohio 

Although  the  plans 
for  Palladium  sound 
like  an  improvement 
for  security,  I  wouldn’t  want 
any  hardware  modifications 
that  would  lock  me  into 
Windows  and  out  of,  say, 
Linux. 

Ray  Hooker 
Durham,  N.C. 


Must  There  Be  Only  One? 

Mark  hall’s  editori¬ 
al,  “The  Real  Trial,” 
in  which  he  says 
Microsoft’s  influence  will 
inevitably  diminish  regard¬ 
less  of  the  outcome  of  its  an¬ 


titrust  trial,  was  well  put 
[QuickLink:  30951],  Have 
you  noticed  how  the  power 
is  reverting  to  —  ahem  — 
IBM?  I  guess  it  never  went 
away  after  all.  Is  there  some¬ 
thing  about  computing  that 
insists  there  be  only  one 
dominant  player? 

Steven  Rubenstein 
Murfreesboro,  Tenn. 


Spam  Blocked,  for  Free 

ODDLY  ENOUGH,  the 
most  effective  spam 
blockers  are  free 
[QuickLink:  30604],  Use 
Sendmail  as  your  mail  serv¬ 
er  software  and  add  a  DNS- 
BL  (DNS  blocking  list)  to 
your  feature  list.  Spamcop, 
SPEWS,  ORDB  and  others 
all  cost  nothing,  and  they  all 
block  most  spam.  I  know  — 

I  use  them  on  the  mail  serv¬ 
er  of  my  nonprofit  client, 
and  my  ISP  uses  some  of 
them  on  the  mail  server  that 
I  get  my  regular  e-mail 
through.  I  average  less  than 
one  spam  per  day,  and  since 
I  forward  those  spams  to 
Spamcop  to  improve  the  fil¬ 
ter,  they  don’t  evade  the  fil¬ 
ters  for  long.  So  far,  a  review 
of  our  reject  lists  shows  only 
minimal  false  positives 


(bounces  of  legitimate  mail). 
Charles  Oriez 

National  legislative  chair 
Association  of  Information 
Technology  Professionals 
Littleton,  Colo. 


Can't  Plan  for  Fashion 

WHILE  THERE  ARE 

certainly  benefits 
to  be  had  using 
CPFR,  I  think  this  is  true 
only  for  products  that  are 
fairly  stable  in  nature,  such 
as  toothpaste  and  laundry 
soap  [QuickLink:  30996]. 
With  the  fickleness  of  fash¬ 
ion,  apparel  retailers  would 
only  be  guessing. 

Bob  Fately 

Van  Nuys,  Calif. 

f8lee@mindspring.com 

C0MPUTERW0RLD  welcomes 
comments  from  its  readers.  Letters 
will  be  edited  for  brevity  and  clarity. 
They  should  be  addressed  to  Jamie 
Eckle,  letters  editor,  Computerworld, 
P0  Box  9171, 500  Old  Connecticut 
Path,  Framingham,  Mass.  01701. 

Fax:  (508)  879-4843.  Internet: 
letters@computerwoi  ld.com.  Include 
an  address  and  phone  number  tor 
immediate  verification. 

I  For  mere  current  ietters  on  these  and 
other  topics,  go  online  to 

!  0  computerworid.com/let :<> 


DAN  GILLMOR  is 


technology  columnist 
at  the  San  Jose 
Mercury  News.  Contact 

him  at  dgillmor® 
sjmercury.com. 


Cable  &  Wireless... 

Most  financially 
stable  operator 
in  class.”  BB 


Most  financially 
stable  operator 
in  class 
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When  it  comes  to  Internet  services  for  your 
business,  the  financial  stability  of  your  provider  is 
vital.  Cable  &  Wireless  is  ranked  the  “Most  financially  stable  operator  in  class”  by  CommunicationsWeek 
International.  Our  wholly  owned,  tier  1  global  IP  backbone  spans  six  continents  and  50  countries.  We  offer  a  full 
suite  of  Internet  services  -  from  dedicated  access  to  a  flexible  portfolio  of  managed  hosting  solutions.  With  a 
balance  sheet  that  says  we’ll  be  here  tomorrow,  we’re  setting  the  standards  for  reliability,  performance  and 
service.  Find  out  more  at  www.cw.com/reliable  or  call  1-866-598-0799.  It’s  a  solid  investment. 


Reliability  extends  far  beyond  the  network 
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KNOWLEDGE  CENTER  SECURITY 


EDITOR'S  NOTE 

My  colleague  Frank  Hayes 

says  that  “security  is  the  new 
Y2k”  [QuickLink:  30719],  And 
he’s  right:  IT  security  is  in  a 
state  of  crisis  on  both  the  ven¬ 
dor  and  user  sides  and  needs  a  full-scale 
remediation  effort. 

But  security  doesn’t  have  the  immov¬ 
able  deadline  that  was  so  good  at  focusing 
everyone’s  attention  on  the  Y2k  problem 
and  breaking  through  the  usual  logjams. 
Lacking  a  natural  deadline,  maybe  the 
pressure  for  remediation  will  come  from 
security  audits  by  the  federal  government, 
as  predicted  by  futurist  Thornton  May 
(page  47). 

Short  of  federal  audits,  the  pressure 
will  have  to  come  from  corporate  CEOs. 
Unfortunately,  like  Y2k,  security  doesn’t 
have  a  clear-cut  ROI.  So,  how  are  we  go¬ 
ing  to  get  the  CEO’s  financial  support  for 
major  investments  in  IT  security  and  dis¬ 
aster  recovery?  I  suggest  asking  your  CEO 
three  simple  questions: 

■  How  will  the  board  react  if  Russian 
hackers  steal  $10  million  from  our  ac¬ 
counts?  (It  happened  to  Citibank  in  1994.) 

■  How  will  we  stay  in  business  if  em¬ 
ployees  can’t  get  into  the  headquarters 
building  because  it’s  been  cordoned  off 
due  to  an  anthrax  scare? 

■  How  will  it  look  on  Wall  Street  if 
we’re  hit  with  a  “security  malpractice” 
lawsuit  because  we  failed  to  close  securi¬ 
ty  holes  that  were  widely  known? 

For  starters,  let’s  do  the  easy  stuff.  Gart- 
nerG2  predicts  that  90%  of  cyberattacks 
will  exploit  known  security  flaws  for 
which  a  patch  is  available  or  a  solution 
known.  That’s  why  one  of  the  tasks  on  the 
to-do  list  in  this  special  report  is  patch 
management  (page  28).  We  also  suggest 
assembling  a  SWAT  team  to  handle  secu¬ 
rity  incidents  and  distributing  IT  re¬ 
sources  for  better  disaster  recovery. 

We  can  help  set  the  agenda  and  provide 
implementation  tips,  but  you’ll  have  to  get 
the  CEO  to  open  his  checkbook  yourself.  I 

Mitch  Betts  (mitch_betts@computerworld. 
com)  is  director  of  Computerworld’s 
Knowledge  Centers. 


KNOWLEDGE  CENTERS  ONLINE 

Knowledge  Centers  provide  practical  information  about  specific  IT  topics.  In 
addition  to  this  monthly  Special  Report  in  print,  there  are  numerous  resources 
at  our  Web  site,  including  research  links,  glossaries,  white  papers  and  the 
following  online  features: 

Industry  Q&A:  Rusine  Mitchell-Sinclair  of  IBM  Global  Services  discusses  the 
hot  trends  in  corporate  security  and  disaster  recovery. 

Case  Studies:  Companies  tackle  issues  such  as  disaster  recovery  for  laptops 
and  how  to  monitor  all  those  security  sensors. 

O  QuickLink:  k1600 

www.computerworld.com 
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Here’s  a  to-do  list  that  ranges 
from  managing  patches  to 
securing  wireless  LANs. 
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Learn  About  the  Mobile  Enterprise 


Join  Discussion 


Broadband  Networking  White  Paper 


Cisco  Powered  Network 


Mobility  is  added. 

The  network  goes  anywhere,  whether 


the  road. 


at  home  or  at  work. 


SOLUTIONS  FOR  YOUR  NETWORK 


VPN/SECURITY 


WIRELESS  AND  MOBILE  OFFICE 


cisco.com/go/mobility 


IP  COMMUNICATIONS 

+ 

CONTENT  NETWORKING 

+ 

OPTICAL  NETWORKING 

+ 

STORAGE  NETWORKING 

+ 

The  time  has  come  to  deliver  a  reliable,  hassle-free  extension 
of  your  enterprise  network.  With  Cisco  Mobile  Office  and 
wireless  LAN  solutions,  your  network  will  become  more  flexible, 
scalable,  manageable,  and  productive  —  enabling  users  easy, 
secure  access  to  critical  business  applications,  productivity 
tools,  and  information  databases  while  on  the  road,  at  home  or  at  work.  With  Cisco  AVVID  enterprise 
architecture,  you  can  do  all  this  without  any  disruption.  This  standardized  enterprise  architecture  allows 
you  to  seamlessly  integrate  wireless,  voice,  video,  and  data  applications  on  a  single,  scalable  network. 
This  includes  new  and  existing  technologies  alike.  Whether  you're  building  your  enterprise  network  or 
extending  it  with  Cisco  Powered  Network  services,  take  advantage  of  the  tools  below  to  get  it  done  right. 


Cisco  Systems 

Empowering  the 
Internet  Generation 


Special  Advertising  Supplement 


GOING  MOBILE,  STAYING  SECURE 


BUSINESS  RESILIENCE  IS  REINFORCED  WHEN  USERS  CAN 
SECURELY  CONNECT  FROM  WHEREVER  THEY  ARE 


How  can  enterprises  remain  productive 
and  competitive  in  the  face  of  chang¬ 
ing — and  often  unpredictable — busi¬ 
ness  conditions? 

This  question  is  on  the  minds  of  many  IT 
managers  today.  One  reason  is  that  businesses 
worldwide  witnessed  unprecedented  economic 
changes  and  disasters  this  past  year.  As  a  result, 
IT  departments  are  building  extra  measures  of 
business  resilience  into  their  computing,  appli¬ 
cation,  and  network  infrastructures. 

Today,  enterprises  are  discovering  that  in 
addition  to  mirrored  data  centers  and  network 
backup  systems,  mobility  is  becoming  a  key 
component  of  business  resilience.  Empowering 
users  to  remain  productive  wherever  they  are 
located  keeps  businesses  agile  and  competitive 
as  they  decentralize  their  operations  and  scatter 
employees  among  headquarters,  branch  offices, 
and  home  offices,  and  while  users  spend 
increasing  amounts  of  time  away  from  the  office 
on  business  travel. 

“If  users  do  not  have  access  to  all  their  pro¬ 
ductivity  tools  when  they  are  away  from  their 
desks,  this  is  a  missed  opportunity  to  push  a 
business  forward,”  says  Charlie  Giancarlo, 
senior  vice  president  of  technology  develop¬ 
ment  at  Cisco  Systems.  Cisco  helps  businesses 
address  this  challenge  with  the  Cisco  Mobile 
Office,  a  set  of  solutions  that  empowers  IT 
departments  to  provide  secure,  high-speed 
connectivity  to  mobile  users. 

One  example  of  mobility  as  it  relates  to  busi¬ 
ness  resilience  is  the  impact  that  new  security 
regulations  in  the  airline  industry  have  had  on 
the  traveling  public.  Business  travelers  now  find 
themselves  with  significantly  more  “down”  time 
in  airports.  If  equipped  with  wireless  LAN 


client  adapters  and  secure  virtual  private  net¬ 
work  (VPN)  client  software  in  their  portable 
computers,  these  users  have  the  ability  to  lever¬ 
age  emerging  public  wireless  LAN  services  to 
remain  productive.  In  addition,  hotels  and  con¬ 
ference  centers  are  also  offering  both  wireless 
and  wired  Ethernet  services  for  connecting 
mobile  users  to  their  corporate  resources  via  the 
Internet. 

“Similarly,  if  a  natural  disaster  or  weather 
conditions  prevent  employees  from  getting  to  a 
physical  workplace,  users  who  can  connect 
securely  from  home  can  also  keep  the  business 
moving  without  much  interruption,”  says 
Giancarlo. 

THE  THREE  FLAVORS  OF  MOBILITY 

Users  become  mobile  when  they  leave  their 
wired  LAN  connections  and  roam  elsewhere 
with  their  laptops  and  handheld  data  devices. 
From  there,  they  might  switch  to  a  wireless 
LAN  connection  as  they  join  a  meeting  down 
the  hall  or  work  from  an  airport.  Or  they  might 
plug  into  another  wired  broadband  connection 
from  home  or  a  hotel  that  offers  wired  Ethernet 
services. 

Through  the  Cisco  Mobile  Office,  Cisco  offers 
the  networking  tools  that  enable  IT  managers  to 
support  these  different  types  of  connections. 
With  these  liberating  capabilities,  though, 
emerge  fresh  security  challenges,  particularly  in 
the  wireless  sector.  Successfully  addressing 
security  is  critical  to  maintaining  business 
resilience. 

Here,  we’ll  examine  how  the  Cisco  Mobile 
Office  enables  both  wireless  and  wired  mobility 
for  business  customers  while  solving  the  securi 
ty  challenges  associated  with  them. 


Cisco  Systems 


COMPUTERWORLD 

CUSTOM  PUBLISHING 


W«. 


Special  Advertising  Supplement 


AT  WORK:  WIRELESS  LANS 

The  Cisco  solution  for 
mobility  within  the  enterprise 
centers  around  the  Cisco 
Aironet®  wireless  LAN  system, 
which  includes  the  Cisco 
Aironet  1200  Series  duahmode 
access  points  for  both  IEEE 
802.11b  (11  Mbps)  and  802.11a 
(54  Mbps)  networking,  client 
adapter  cards,  and  the  Cisco 
Access  Control  Server  for 
authentication. 

Wireless  LANs  deliver  the 
freedom  to  work  virtually  any- 
where  within  a  building  or 
around  a  corporate  campus 
without  the  limitation  of  wires 
or  cables.  People  in  a  confer' 
ence  room  can  access  information  needed  to  make 
decisions,  for  example,  rendering  meetings  more  pro' 
ductive.  Moreover,  wireless  networks  can  serve  as  a 
cabling  replacement  to  overcome  business  limitations 
created  by  older  buildings  and  temporary  work  areas. 

Evidence  of  the  potential  impact  of  wireless  LANs 
on  user  productivity  was  revealed  by  a  study  com 
ducted  last  fall  by  NOP  World  -  Technology,  a 
research  company  that  surveyed  more  than  300  U.S.' 
based  organizations  with  100  or  more  employees 
using  wireless  LANs.  The  study  showed  that  wireless 
LAN  technology  allowed  users  to  stay  connected  for 
an  additional  1.75  hours  each  day,  which  increased 
their  productivity  as  much  as  22%. 

SECURITY  AT  WORK 

Despite  the  significant  productivity' enhancing 
potential  of  wireless  LANs,  many  enterprises  have 
been  hesitant  to  fully  embrace  them,  largely  because 
of  security  concerns.  These  worries  were  fueled  by 
reports  last  year  that  the  basic  security  algorithm  in 
the  IEEE  802.11b  wireless  LAN  standard  is  easy  to 
crack. 

These  vulnerabilities  have  since  been  overcome  by 
the  security  enhancements  in  Cisco  Aironet  prod' 
ucts.  The  Cisco  Wireless  Security  Suite,  which 
includes  reinforced  encryption  and  authentication, 
makes  it  possible  for  IT  departments  to  untether 
users  without  sacrificing  network  security. 

Sharp  Elealthcare,  a  regional  healthcare  delivery 
system  based  in  San  Diego,  California,  for  example, 
uses  Cisco  Aironet  wireless  LANs  to  improve  patient 
care  by  enabling  bedside  care'givers  to  access  patient 
data  records,  order  lab  tests,  and  issue  pharmaceuti¬ 
cal  prescriptions.  Without  the  Cisco  Aironet 


enhanced  security  measures. 
Sharp  would  be  hard-pressed 
to  meet  the  stricter  standards 
for  patient  confidentiality 
recently  mandated  by  the 
Health  Insurance  Portability 
and  Accountability  Act 
(HIPAA),  comments  Mark 
Weisenberg,  Sharp’s  director 
of  network  services. 

“The  HIPAA  requirements 
have  a  direct  bearing  on  wire¬ 
less  data  transfer,  and  we  need¬ 
ed  absolute  certainty  that  we 
were  not  going  to  put  patient 
records  in  jeopardy  with  our 
wireless  system,”  he  says. 

What  are  the  security  risks 
associated  with  wireless  net¬ 
works?  In  general,  enterprises  must  protect  them¬ 
selves  from  unauthorized  individuals  gaining  access 
to  corporate  servers  or  “stealing”  data  in  transit.  They 
also  need  to  guard  against  denial-of-service  attacks 
on  corporate  Web  servers,  which  clog  them  up  with 
bogus  service  requests  and  prevent  user  and  cus¬ 
tomer  access  to  data  and  services. 

These  vulnerabilities  exist  in  wired  networks,  too, 
but  wireless  LANs  open  an  additional  exposure  that 
must  be  addressed  specifically,  because  radio  signals 
can  penetrate  walls.  If  the  proper  security  mecha¬ 
nisms  are  not  in  place,  someone  outside  a  building 
but  within  range  of  an  access  point  could  circumvent 
the  firewall  and  hop  onto  the  enterprise  network. 

Today,  enterprises  using  wireless  LANs  have 
deployed  four  distinct  forms  of  security:  open  access 
(no  security),  basic  security,  enhanced  security,  and 
specialized  security.  The  primary  reason  some  enter 
prise  installations  have  no  security  is  that,  in  accor 
dance  with  IEEE  802.11b  specifications,  systems  ship 
by  default  with  basic  encryption  disabled,  and  com 
panies  are  not  turning  it  on.  Even  when  these  fea¬ 
tures — called  Wired  Equivalent  Privacy  (WEP) — are 
activated,  though,  the  static  nature  of  the  WEP 
encryption  key  still  leaves  companies  at  risk.  Static 
encryption  keys  rarely  change,  leaving  hackers  plenty 
of  time  to  decode  them. 

The  Cisco  Wireless  Security  Suite  enables  both 
enhanced  and  specialized  security  to  overcome  static 
WEP  vulnerabilities  for  enterprise-class  protection. 
Within  the  enterprise,  enhanced  security  is  recom¬ 
mended,  while  specialized  security  in  the  form  of  a 
VPN  based  on  the  IP  Security  (IPSec)  standard  is 
appropriate  for  users  on  the  road. 

For  enhanced  security  within  the  enterprise,  Cisco 
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has  expanded  the  industry-standard  Extensible 
Authentication  Protocol  (EAP),  which  fits  into  the 
IEEE  802. lx  standard  authentication  framework,  to 
create  an  authentication  algorithm  called  EAP  Cisco 
Wireless  (also  called  “Cisco  LEAP”),  which  enables 
per-user,  per-session  authentication.  Cisco  products 
also  support  dynamic  encryption  keys  and  a  pre 
standard  version  of  Temporal  Key  Integrity  Protocol 
(TKIP),  which  adds  per  packet  keying,  fast  rekeying, 
and  message  integrity  checks  to  802.11  security. 
Together,  these  capabilities  make  sessions  nearly 
impossible  to  hack. 

To  guard  against  wireless-initiated  denial- of-serv- 
ice  attacks,  EAP  Cisco  Wireless  supports  mutual 
authentication.  “In  addition  to  the  user  being  authen¬ 
ticated,  the  access  point  to  which  the  client  is  con¬ 
necting  must  also  be  authenticated,”  explains  Pejman 
Roshan,  Cisco  technical  marketing  engineer.  “This 
prevents  unauthorized  access  points  from  being  set 
up  inside  buildings,  from  which  someone  could 
launch  denial-of-service  attacks  onto  a  corporate 
Web  server.” 

ON  THE  ROAD:  PUBLIC  LAN  SERVICES 

Users  who  spend  a  substantial  amount 
of  time  on  the  road  have  an  increasing 
array  of  connectivity  options.  As  men¬ 
tioned,  the  availability  of  wireless  LAN 
services  for  high-bandwidth  access  to  the 
Internet  is  proliferating  in  airports,  con¬ 
vention  centers,  public  hotel  areas,  restau¬ 
rants,  and  coffee  shops.  Wired  Ethernet 
connections  are  also  becoming  available  in 
hotel  rooms  and  other  locations. 

The  property  owners  and  service 
providers  supplying  these  services  to 
enterprise  users  can  deploy  them  using 
infrastructure  equipment  made  by  Cisco. 

For  example,  hotels  can  run  Cisco  switch¬ 
es  that  support  Cisco  Long-Reach  Ethernet  technolo¬ 
gy  to  support  multimegabit-speed  connections  in 
guest  rooms  wared  with  older  Category  1/2/3  tele¬ 
phone  wiring.  Similarly,  Cisco  wireless  access  points 
can  be  installed  in  public  venues  to  enable  open- 
access  wireless  LAN  connectivity  to  the  Internet. 

All  traveling  business  users  need  to  use  these  serv¬ 
ices  are  the  appropriate  client  adapters  in  their 
portable  computers  to  access  these  wired  or  wireless 
networks.  As  mentioned,  VPN  client  software  is  also 
highly  recommended  for  security. 

What  about  handheld  devices?  Presenting  content 
on  small  displays  necessitates  a  transformation  func¬ 
tion  to  reformat  the  HTML  and  XML  content  resid¬ 
ing  in  corporate  Web  servers  that  has  been  tuned  to 


desktop-sized  displays.  In  addition  to  performing 
markup  language  translation  (such  as  HTML  to 
WML),  it  is  important  to  deliver  the  right  subset  of 
data  to  the  requesting  device.  The  Cisco  CTE  1400 
Series  Content  Transformation  Engine,  for  example, 
front-ends  an  organization’s  Web  servers  to  trans¬ 
form  content  for  display  by  a  variety  of  mobile  devices 
using  default  or  customized  rules. 

SECURITY  ON  THE  ROAD 

When  users  connect  to  their  corporate  networks 
from  the  road,  IPSec  VPNs  protect  against  hack- 
attacks  on  remote-access  connections.  IPSec  VPNs 
have  two  components:  client  software  that  resides  in 
the  user’s  mobile  computer  and  a  security  gateway  at 
the  corporate  site,  such  as  the  Cisco  VPN  3000 
Concentrator.  Encrypted  tunnels  run  between  the 
client  and  the  gateway,  wdtich  terminates  the  tunnels 
and  decrypts  data. 

For  public  wireless  LAN  services,  IPSec  VPNs  are 
especially  encouraged.  Access  points  in  these  loca¬ 


tions  generally  run  with  their  vendor-specific  securi 
ty  mechanisms  disabled  to  encourage  open  access  to 
all  potential  users.  Since  the  radio  signal  does  not 
have  any  physical  security  associated  with  it,  strong 
encryption  in  the  wireless  access  network,  supplied 
by  the  client  VPN  software,  prevents  hackers  from 
stealing  data  out  of  the  air. 

AT  HOME:  BROADBAND  ACCESS 

The  mobility  component  of  business  resilience 
includes  corporate  teleworking  programs,  which  let 
employees  work  productively  from  home.  According 
to  a  2000  survey  by  Kinetic  Workplace,  U.S.  compa¬ 
nies  with  teleworking  programs  saved  approximately 
$12,000  a  year  per  teleworker  and  also  reduced  real 
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estate  costs  as  much  as  60%. 

Workers  at  home  require  secure,  high-speed 
connections  to  their  corporate  networks. 
Sometimes  the  access  services  available  in  the  vari¬ 
ous  employee  locations  differ,  so  a  company  might 
need  to  support  a  mix  of  ISDN,  DSL,  cable  modem 
and  other  broadband  connections. 

Cisco  has  a  variety  of  broadband  access  products 
for  at-home  workers.  For  example,  the  Cisco  806 
Broadband  Gateway  Router  connects  to  any  type 
of  high-speed  access  connection  through  an 
Ethernet  WAN  port.  So  while  an  organization  may 
not  be  able  to  standardize  on  the  type  of  broad¬ 
band  network  service  used  by  its  teleworkers,  it 
can  standardize  on  a  single  equipment  platform. 

SECURITY  AT  HOME 

IPSec  VPNs  again  come  into  play  for  securing 
connections  from  the  user’s  home  site  across  the 
untrusted  public  Internet  to  the  corporate  VPN 
gateway.  There  are  several  equipment  options  for 
teleworker  security;  the  choice  often  depends  on 
the  equipment  available  from  the  service  provider. 

The  Cisco  827  Router,  for  example,  has  built-in 
security,  including  stateful-inspection  firewall 
capabilities  and  VPN  support  with  IPSec  3DES 
encryption.  There  are  other  security  options  as 


well,  including  the  Cisco  PIX®  501  Firewall  and  the 
VPN  3002  Hardware  Client.  To  ease  the  adminis¬ 
tration  of  corporate  teleworking  programs,  central 
IT  staff  can  use  special  software  that  distributes 
predefined  security  policies  out  to  large  numbers  of 
Cisco  800  Series  routers  and  security  appliances. 

EMPOWERING  THE  ENTERPRISE  WITH  MOBILITY 

Because  of  the  enhanced  capabilities  now  avail¬ 
able  for  securing  connections  across  untrusted 
wireless  networks  and  the  public  Internet,  enter¬ 
prises  can  embrace  mobility  as  a  key  component  of 
their  business  resilience  strategies.  This  empowers 
companies  to  keep  business  processes  going  when 
users  are  away  from  a  traditional  office  workspace 
with  a  wired  connection  to  the  corporate  network. 
Employees  who  can  get  connected  both  within  and 
outside  of  the  corporate  walls  are  employees  who 
stay  productive  and,  as  a  result,  increase  their  com¬ 
panies’  competitive  power. 


FOR  MORE  INFORMATION 

www.cisco.com/offer/mobileoffice 

www.cisco.com/offer/aironet-security 

www.cisco.com/offer/security 

www.cisco.com/offer/hotspots 


SECURE  ENTERPRISE  MOBILITY  SOLUTIONS  FROM  CISCO 


Mobility 

Application 

Product 

Description 

Cisco  Aironet  1200 

Series  Access  Point 

Dual-mode  802.11a/802.11b  radio  that  provides  wireless 
access  to  the  corporate  network 

At  Work 

Cisco  Aironet  Client 

Adapter  Card 

Wireless  LAN  interface  card  that  secures  connections 
using  the  Cisco  Wireless  Security  Suite 

Cisco  Access  Control  Server 

A  RADIUS  authentication  server  that  supports  Cisco  LEAP 
security  protocols 

Cisco  IPSec  VPN  Client 
Software  and  VPN  3000 
Concentrator 

Together,  establish  secure  "tunnels”  for  remote  access 
using  DES  or  3DES  encryption  algorithms 

On  the  Road 

Cisco  Aironet  Client 

Adapter  Card 

Wireless  LAN  interface  card.  When  used  with  public  net¬ 
work  services,  security  is  achieved  using  specialized  IPSec 
VPN  technology  (see  above). 

Cisco  CTE  1400  Series 
Content  Transformation 
Engine 

Dynamically  transforms  Web  content  so  that  it  is  properly 
displayed  on  the  small  screens  of  handheld  devices 

Cisco  800  Series  Routers 

Connect  users  to  broadband  Internet  services  for  access 
to  corporate  resources.  Some  support  integrated  stateful 
firewall  and  IPSec  capabilities. 

At  Home 

Cisco  PIX  501  Firewall 

Security  appliance  that  provides  up  to  10  Mbps  of  firewall 
throughput  and  3  Mbps  of  3DES  throughput 

Cisco  VPN  3002 

Hardware  Client 

Provides  secure  connections  to  a  VPN  3000  Concentrator 
at  a  central  site  using  IPSec  tunnels 

t 
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A  LOCK  ON  THE  DOOR  was 

state-of-the-art  security  for 
data  centers  40  years  ago. 
Programs  were  run  in  batch 
mode  with  no  remote  termi¬ 
nals,  so  the  greatest  risk  to  data  securi¬ 
ty  was  that  a  mainframe  printout  might 
be  retrieved  from  a  trash  bin.  And  dis¬ 
aster  recovery  largely  consisted  of 
making  sure  that,  should  there  be  a 
power  outage,  reels  of  tape  were  care¬ 
fully  removed  from  tape  drives;  the 
tapes  could  be  damaged  if  the  power 
suddenly  came  back  on. 

That  was  the  last  time  security 
would  be  so  simple. 

By  November  1961,  developers  at 
MIT  were  demonstrating  their  experi¬ 
mental  Compatible  Time-Sharing  Sys¬ 
tem,  which  allowed  four  users  working 
at  terminals  to  run  programs  at  the 
same  time.  Time-sharing  meant  users 
could  intentionally  interfere  with  other 
users’  programs  —  and  by  the  late 
1960s,  terminals  connected  by  modem 
meant  that  an  outsider  could  learn  a 
password  and  log  in.  But  there  was  lit¬ 
tle  risk  of  that  at  first,  since  a  remote 
terminal  cost  as  much  as  a  new  car. 

Mainframes  and  minicomputers  of¬ 
fered  little  protection  against  malicious 
behavior  by  internal  users.  Prank  pro¬ 
grams  that  created  copies  of  themselves 
on  a  computer  until  it  crashed,  and 
“trapdoor”  codes 
that  gave  one  user 
access  to  another’s 
work,  were  in  use  by 
1972.  The  first  desk¬ 
top  computers  hit 
the  market  in  1975, 
and,  along  with 
rapidly  falling  prices 
for  modems,  they 
helped  set  the  stage 
for  what  would  later 


TheSto 
So  Far 

IT  copes  with  trapdoors, 
worms,  Russian  hackers  and 
Hurricane  Hugo.  By  Frank  Hayes 


become  an  epidemic  of  hacking  aimed 
at  corporate  systems. 

Encryption  was  the  way  to  protect 
data  from  prying  eyes  as  it  moved 
through  modems  or  networks.  In  1976, 
the  U.S.  government  officially  ap¬ 
proved  its  Data  Encryption  Standard 
(DES),  which  became  widely  used  for 
financial  information  sent  electronical¬ 
ly.  That  same  year,  three  researchers  — 
Ronald  Rivest,  Adi  Shamir  and  Leo¬ 
nard  Adelman  —  developed  a  practical 
version  of  public-key  encryption, 


which  had  been  invented  in  1976  by 
Whitfield  Diffie  and  Martin  Heilman 
as  a  way  to  easily  encrypt  communica¬ 
tions  of  all  kinds. 

But  encryption  wouldn’t  solve  all  se¬ 
curity  problems.  In  1982,  the  first  com¬ 
puter  virus  was  infecting  Apple  II 
computers.  IBM  PCs  had  viruses  of 
their  own  by  1986;  commercial  anti¬ 
virus  software  was  available  by  1988. 

And  hostile  hackers  learned  to  use 
the  Internet.  In  1986,  astronomer  Clif¬ 
ford  Stoll  tracked  down  a  75-cent  ac¬ 
counting  discrepancy  and  helped  catch 
five  German  hackers  who  had  broken 
into  450  computers.  Other  hacker 
hunters  were  at  work  too  —  but  there 
were  far  more  hackers. 

Preparing  for  Disaster 

The  Internet  had  problems  of  its 
own.  On  Nov.  2, 1988,  Cornell  Universi¬ 
ty  student  Robert  Morris  released  a 
“worm”  program  onto  the  Internet  that 
infected  6,000  host  computers  —  10% 


of  all  Internet  hosts  —  and  crippled 
the  Net  for  days. 

Meanwhile,  disaster  recovery  had 
come  into  its  own.  By  1980,  Comdisco 
Inc.  and  other  companies  had  begun 
providing  disaster  recovery  services.  By 
the  end  of  the  decade,  more  than  40% 
of  businesses  had  disaster  recover)' 
plans.  And  they  needed  them,  what 
with  Hurricane  Hugo  and  the  San  Fran¬ 
cisco  earthquake  in  1989,  flooding  of  un¬ 
derground  tunnels  in  Chicago  and  Hur¬ 
ricane  Andrew  in  1992,  the  bombing  of 
New  York’s  World  Trade  Center  in  1993, 
and  another  big  quake  in  Los  Angeles  in 
1994,  along  with  a  steady  stream  of 
smaller  catastrophes  that  threatened 
ever  more  business-critical  IT  shops. 

Mother  Nature  wasn’t  the  only  threat, 
as  some  hackers  became  ambitious 
cybercrooks.  In  1994,  a  group  of  Russ¬ 
ian  hackers  siphoned  $10  million  from 
customer  accounts  at  Citibank;  they 
were  caught  the  next  year.  Other  hack¬ 
ers  attacked  Internet  businesses  to  steal 
credit  card  and  Social  Security  numbers. 

Encryption  was  under  attack  too  — 
by  its  supporters.  In  June  1997,  a  proj¬ 
ect  called  Deschall  linked  tens  of  thou¬ 
sands  of  computers  on  the  Internet  to 
crack  the  20-year-old  DES  algorithm 
in  96  days.  Less  than  a  year  later,  the 
Electronic  Frontier  Foundation  used  a 
custom,  $250,000  computer  to  crack 
DES  in  only  56  hours.  The  U.S.  govern¬ 
ment  began  to  relax  restrictions  on  ex¬ 
porting  stronger  encryption  systems 
and  officially  approved  its  Advanced 
Encryption  Standard  in  May  2002. 

In  the  aftermath  of  the  Sept.  11  at¬ 
tacks,  security  is  a  bigger  issue  for  IT 
than  ever  before,  with  new  efforts  to 
protect  systems  and  close  software 
holes  —  and  use  technology  to  track 
down  terrorists. 

And  now,  on  with  the  story. ...  5 
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Six  steps  to 
cutting  costs 
and  counting 


By  Deborah 
Radcliff 

like  A  lot  of  other  secu¬ 
rity  professionals  these 
days,  Mike  Hager,  security 
chief  at  Oppenheimer- 
Funds  Distributor  Inc.  in  New  York,  is 
under  excruciating  pressure  to  provide 
top-notch  protection  of  data,  ensure 
privacy  and  manage  user  access  —  all 
on  a  drum-tight  budget.  He  also  needs 
to  justify  all  project  costs  and  results 
to  top  management. 

Knowing  this,  Hager  says  he  doesn’t 
try  to  sell  a  security  project  unless  he 
can  first  explain  its  value  in  terms  the 
business  side  understands.  The  best 
method  is  to  show  a  reduced  cost  of 
administering  security,  which  IT  man¬ 
agers  say  is  the  only  way  to  demon¬ 
strate  return  on  security  spending. 

“Show  me  the  money”  is  something 
of  a  new  commandment  for  security 
professionals  long  accustomed  to  con¬ 
cerning  themselves  more  with  pass¬ 
words  than  with  payback  projections. 
But  fortunately,  there  are  proven  steps 
that  security  managers  can  take  to  get 
their  networks  and  systems  ready  for 


future  security  investments  that  could 
yield  a  positive  return.  There’s  also  a 
spate  of  new  products  aimed  at  reduc¬ 
ing  security  overhead  costs.  Using  the 
two  together,  there’s  hope  for  belea¬ 
guered  security  professionals  seeking 
to  quantify  the  positive  results  of  their 
work  and  show  where  and  how  it  adds 
value  to  the  business. 

IKnow  your  business.  “You  can 
get  value  from  security  pro¬ 
grams  if  you  map  your  techni¬ 
cal  measures  to  your  business 
needs,”  says  Steve  Hunt,  an  ana¬ 
lyst  at  Giga  Information  Group 
Inc.  in  Cambridge,  Mass.  But,  he  adds, 
“unfortunately,  over  30%  of  all  IT  secu¬ 
rity  spending  is  poorly  focused  and  in¬ 
effective  by  best-practices  criteria.” 

Mail  servers  are  a  prime  example, 
Hunt  says.  “If  the  mail  server  goes 
down,  the  response  team  goes  to  Def¬ 
Con  5,  the  highest  and  most  expensive 
security  response,”  he  explains.  “But 
in  many  cases,  the  business  manager 
says  ‘Ho-hum,  maybe  now  I  can  get 
some  real  work  done.’  ” 

The  lesson:  Know  what’s  critical  to 
the  business  and  adjust  security  ac¬ 
cordingly.  “If  you’ve  got  systems  that 
are  really  critical  to  a  business  process, 
[and]  you  know  where  your  most  pro¬ 
prietary  secrets  are,  then  you  know 
where  to  prioritize  [security]  money 
and  allocations,”  says  Charles  Neal, 
vice  president  of  managed  security 
services  at  Exodus,  a  Cable  &  Wireless 
Internet  Services  Inc.  company  in  New 
York.  “For  other  systems,  it  may  not  be 
a  catastrophe  if  someone  broke  in,  so 
you  spend  less.” 
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Sensitivity  Analysis 

ROI  increases  when  security  is  designed  into  systems,  rather  than  added  later. 


FACTORS  COST  SAVINGS  IN  CONSTANT  DOLLARS 


Fixing  one  additional  moderate  | 
security  defect  | 

123% 

Increased  defect-fix  efficiency  1 
(10%  less  effort)  f 

■ 

47% 

Accelerated  development  cycle  1 
(10%  faster)  | 

|  8% 

Code  quality  | 
(one  additional  security  defect)  | 

1 5% 

Shorter  patch  release  periods  I 
(10%  shorter)  | 

1 3% 

SOURCE:  ©STAKE  INC..  CAMBRIDGE.  MASS. 


Form  alliances.  Locating 
risk-sensitive  data  and  sys¬ 
tems  also  means  building 
alliances  with  business 
managers.  Motorola  Inc. 
in  Schaumburg,  Ill.,  does 
this  by  placing  an  IT  security  officer 
in  each  of  the  company’s  six  business 
units  to  represent  the  business  require¬ 
ments  to  the  IT  team  and  vice  versa. 

“The  job  of  our  business  unit  secu¬ 
rity  officers  is  to  adapt,  refine  and  deal 
with  the  implications  that  support  the 
critical  priorities  of  the  business,  while 
following  our  corporate  policies  and 
standards  for  enterprise-level  tech¬ 
nologies,”  says  Chief  Information  Se¬ 
curity  Officer  Bill  Boni. 

3  Set  standards.  By  blending 
business  requirements  with 
best  practices,  the  security 
team  can  establish  rules- 
based  security  standards 
for  operating  systems  and 
platforms.  This  way,  IT  organizations 
can  better  target  security  spending, 
including  training  dollars,  for  secure 
systems  administration,  says  Boni. 

These  operational  standards  should 
include  specific  instructions  for  where 
and  what  to  patch,  which  services  to  dis¬ 
able  or  leave  on,  which  operating  sys¬ 


tems  to  harden,  which  types  of  systems 
to  allow  on  the  network,  and  where  to 
implement  additional  security  capabil¬ 
ities,  such  as  row-level  encryption  or 
public-key  infrastructure. 

Standards-setting  is  especially  im¬ 
portant  in  mergers.  “We’re  taking  the 
best  of  policies  and  standards  for  each 
company  and  coming  up  with  new 
policies,  and  then  setting  operational 
security  standards  as  part  of  the  auto¬ 
build  procedures  for  each  new  system 
that  gets  deployed,”  says  Pat  Hymes, 
manager  of  corporate  information 
security  engineering  at  Wachovia  Corp., 
a  Charlotte,  N.C. -based  financial  ser¬ 
vices  firm  that  merged  with  First  Union 
Corp.  in  September. 

Bake-in  security.  Standard¬ 
izing  security  rules  can 
reduce  the  cost  of  provid¬ 
ing  secure  configurations 
to  other  IT  departments, 
Hymes  notes,  because  it 
requires  IT  groups  to  “bake-in  security 
in  products  and  processes  at  the  onset, 
rather  than  repair  after  the  fact.” 

In  May,  the  Hoover  Project,  a  research 
arm  of  @Stake  Inc.,  a  Cambridge,  Mass.- 
based  security  company,  released  the 
results  of  a  quantitative  study  that  rat¬ 
ed  the  cost  savings  of  pre-engineered 


security  against  postdeployment  secu¬ 
rity  repairs.  Forty-five  homegrown  and 
commercial  applications  were  tested 
(see  charts).  “If  you  build  in  security 
during  the  design  phase  of  your  appli¬ 
cations,  you  can  reduce  your  risk  by 
80%  and  achieve  rework  savings  of 
21%, ”  says  Andrew  Jaquith,  Hoover’s 
program  director. 

Assess,  benchmark,  and  then 
count  the  savings.  Knowing 
whether  established  stan¬ 
dards  are  being  met  is 
where  the  process  can 
become  more  technical. 
Consider  Motorola’s  ambitious  goal 
of  aligning  standard  build  features 
with  audit  compliance.  Boni  is  auto¬ 
mating  this  task  with  the  help  of  a  vul¬ 
nerability  scanning  tool  called  Found- 
Scan  from  Foundstone  Inc.  in  Mission 
Viejo,  Calif.  Like  many  assessment 
tools,  FoundScan  reports  on  the  state 
of  security  throughout  the  network 
and  sends  alerts  when  something  falls 
out  of  specification. 

For  benchmarking,  the  best  type  of 
assessment  products  or  services  would 
be  those  that  adapt  to  the  corporation’s 
own  security  standards,  send  notifica¬ 
tion  when  corporate  policy  has  been 
violated  and  provide  audit  reports  that 
■  can  be  used  to  show  security  effective¬ 
ness.  Corporate  boards  and  regulators 
are  beginning  to  require  all  three,  ac¬ 
cording  to  Michael  Ressler,  director  of 
security  services  at  Predictive  Systems 

Measuring  ROI 

Costs  savings  increase  the  earlier 
security  is  addressed  in  the 
development  cycle. 

PHASE  COST  SAVINGS 

Design  U  21% 

Implementation  ^  15% 

Testing  1 12% 

SOURCE:  @STAKE  INC..  CAMBRIDGE.  MASS. 


Inc.,  a  network  security  consulting 
company  in  New  York. 

Since  assessing  the  network  manual¬ 
ly  with  internal  staff  is  financially  pro¬ 
hibitive,  the  products  are  easily  cost- 
justifiable.  For  example,  John  Shields, 
senior  vice  president  of  e-business  at 
Patelco  Credit  Union  in  San  Francisco, 
says  IP360,  a  tool  from  nCircle  Network 
Security  Inc.  in  San  Francisco,  costs  him 
$50,000  per  year.  That’s  $100,000  less 
than  he  would  have  spent  on  the  man¬ 
power  to  do  the  same  tasks.  And  Mo¬ 
torola  is  paying  tens  of  thousands  of  dol¬ 
lars  per  year  instead  of  millions  for  its 
perimeter  assessments  alone,  says  Boni. 

But  technology  doesn’t  fully  gauge 
the  effectiveness  of  policies  as  they 
pertain  to  people  and  processes.  For 
this  reason,  Giga  has  launched  an  as¬ 
sessment  service  called  the  Security 
Action  ReportCard,  which  is  suitable 
only  for  large  organizations.  The  Giga 
service  goes  beyond  technical  assess¬ 
ment  programs  to  assess  people  and 
processes,  compare  them  to  industry 
best  practices,  and  map  security  mea¬ 
sures  to  business  requirements  to  help 
achieve  better  cost-effectiveness. 


6  Don’t  go  it  alone.  There  are 
many  other  vendor  ser¬ 
vices  coming  to  market  to 
help  IT  managers  reduce 
administrative  overhead 
for  current  security  proc¬ 
esses.  For  example,  managed  security 
services  provided  by  outsourcers  are 
saving  some  midsize  companies  up  to 
80%  of  what  it  would  cost  to  monitor 
security  events  in-house.  New  forms 
of  middleware  are  also  springing  up  to 
consolidate  security  report  information 
from  intrusion-detection,  antivirus  and 
firewall  sensors  to  offer  better  response 
and  correlation.  And  larger  vendors, 
such  as  Cupertino,  Calif. -based  Syman¬ 
tec  Corp.,  are  cobbling  together  suites 
with  central  management  interfaces. 

The  bottom  line:  “The  reality  in 
business  is  budget,”  says  Gartner  Inc. 
analyst  John  Pescatore.  And  that  goes 
for  security  as  well. 

“Security  has  to  help  the  company 
make  more  money  by  supporting  busi¬ 
ness  processes,  instead  of  just  prevent¬ 
ing  bad  things  that  could  happen,” 
Pescatore  says.  “So  good  security  offi¬ 
cers  usually  have  good  security  organi¬ 
zations,  even  if  they’re  spending  less 
than  industry  average.”  t 


BANG  FOR  YOUR  BUCK 

Visit  our  Web  site  for  tips  to  cut  your  security  i 
and  a  list  of  additional  online  resources. 

QuickLink:  31241 
www.computerworld.com 
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Those 

Patches! 

Software  makes  fixes  easier,  but 
identifying  what  needs  patching  is 
still  a  costly  hassle.  By  Stacy  Collett 


every  morning,  Mark  Bialik  diligently  scans  30  to 
40  vendor  and  security  Web  sites  looking  for  the 
latest  patches  for  Infinity  HealthCare’s  many 
Microsoft  Office,  Web  server  and  Windows  NT- 
based  applications. 

On  a  good  day,  it  takes  two  hours  to  conclude  that 
no  new  patches  have  been  issued.  On  a  not-so-good 
day,  Bialik  spends  up  to  four  hours  figuring  out  if  he’s 
running  the  affected  software.  In  the  worst  case,  such 
as  when  the  Code  Red  worm  hit  last  July,  Bialik’s  day 
is  consumed  by  installing  patches  for  20  servers  and 
hundreds  of  PCs.  “I  remember  a  time  when  I  spent 
three  to  four  days  straight  doing  nothing  but  patch¬ 
es,”  says  Bialik,  a  network  and  security  manager  at 
the  Mequon,  Wis.-based  health  care  provider. 

These  days,  new  security  software  makes  it  easier 
to  distribute  and  test  patches.  But  finding  a  fast  and 
reliable  way  to  identify  new  patches  and  prioritize 
installation  remains  elusive  and  costly. 

Companies  spend  more  than  $2  billion  annually  on 
patch  research  and  deployment,  according  to  Ab¬ 
erdeen  Group  Inc.  in  Boston.  Meanwhile,  the  pres¬ 
sure  to  find  and  install  every  patch  is  increasing  as 
companies  heighten  security  and  focus  on  intrusion 
detection  and  managed  vulnerability  scanning. 

It  has  to  be  done,  so  how  can  systems  administra¬ 
tors  and  se  urity  managers  make  patch  management 
more  manageable?  Security  software  vendors,  end 
users  an,  >  lalysts  offer  the  following  three  tips: 


Develop  a  ‘Patch  Network’ 

Security  software  products  can  help  streamline 
the  process  of  finding  patches  by  offering  links 
to  vendor  sites.  But  vendors  have  come  under 
scrutiny  for  not  releasing  patches  fast  enough 
for  their  users.  Problems  and  patches  can  be  more 
quickly  identified  by  establishing  a  network  of  peers 
in  multiple  organizations,  such  as  former  colleagues 
or  people  at  like-minded  institutions,  says  Eric  Hem- 
mendinger,  an  Aberdeen  Group  analyst.  “They  may 
be  your  best  resource,”  he  adds. 

Security  portals  such  as  Sans.org  and  Incidents.org 
also  provide  a  front  line  for  identifying  patches  and 
fixes.  “Find  good,  reliable  places  that  gather  the  data 
for  you,  and  make  a  habit  of  reading  them  daily,”  Bia¬ 
lik  says. 

Buy  Time  by  Prioritizing 

Before  rushing  to  install  every  patch  that 
comes  along,  prioritize  installations  ac¬ 
cording  to  their  impact  on  the  organization. 

A  vulnerability  in  an  e-com-  _ 

merce  application  should  take  priority 
over  one  in  a  platform  that’s  fairly  well 
hidden  from  the  Internet,  for  instance. 

If  a  high-priority  vulnerability  is  iden¬ 
tified,  security  managers  are  finding 
that  multilayered  security  software, 
which  is  located  at  the  firewall  as  well  as 


Do’s  and  Don’ts 

DO  establish  a  network  of  peers  outside  your 
organization  to  help  identify  vulnerabilities 
and  find  patches. 

DO  prioritize  installations  according  to  their 
impact  on  your  organization. 

DO  invest  in  security  software  that  keeps  a  log 
of  patches  installed  on  each  PC  and  server. 

DON'T  rely  on  quick  fixes  offered  at  hackers’ 
sites. 

DON'T  install  patches  without  first  testing 
them  in  a  development  environment. 


the  lowest  level  of  the  network  stack,  can  temporari¬ 
ly  plug  the  hole  until  a  permanent  patch  is  installed. 

“Customers  recognized  this  benefit  before  we  did,” 
acknowledges  Jon  Greene,  senior  vice  president  at 
Network-1  Security  Solutions  Inc.  in  Waltham,  Mass., 
which  sells  a  line  of  software  security  products.  “If 
the  intrusion  can  be  detected,  we  can  identify  it  and 
stop  it.  That  buys  them  time  to  assess  the  appropri¬ 
ate  patches  that  need  to  be  deployed.” 

No  matter  how  critical  the  patch  may  be,  don’t  rely 
on  fixes  offered  at  hackers’  Web  sites;  they  can’t  be 
trusted.  Bialik  offers  this  advice  instead:  “If  you  can 
get  by  without  running  that  particular  application  for 
the  time  being  until  the  fix  is  out,  turn  it  off!” 

Evaluate  Before  You  Patch 

To  save  yourself  time  and  legwork,  invest 
in  security  software  that  keeps  a  log  of 
patches  installed  on  each  PC  and  server. 
The  software  can  also  check  to  make  sure 
patches  are  working  and  will  rank  the  vulnerability 
of  each  application. 

Klipsch  Audio  Technologies  uses  San  Diego-based 
St.  Bernard  Software  Inc.’s  Update  Expert  to  identify 
servers  and  PCs  that  need  patches,  scheduling  up¬ 
grades  after  business  hours.  “Something  that 
would’ve  taken  six  people  four  hours  to  do,  we  can 
set  up  in  10  minutes  and  not  have  to  worry  about  it,” 
says  Mike  Fulton,  a  network  manager  at  the  Indi¬ 
anapolis-based  audio  systems  manufacturer. 

Another  tip:  Test  the  patch  first  in  a  development 
environment  to  make  sure  it  won’t  create  new  prob¬ 
lems  with  the  rest  of  the  system.  Companies  that 
don’t  have  the  luxury  of  a  complete  test  environment 
can  develop  a  scaled-down  version  with  at  least  a 
copy  of  the  operating  system  running  the  applica¬ 
tions  in  production. 

And  finally,  beware  of  the  pitfalls  of  patch-manage¬ 
ment  software.  Users  report  confusion  over  which 
security  patch  service  packs  work  with  different  soft¬ 
ware  versions.  They  also  tell  of  technical  support 

_  staffers  who  refused  to  help  with  a 

patch  because  their  companies  weren’t 
running  the  latest  version  of  the  ven¬ 
dor’s  software.  Other  users  say  some 
scanning  software  can  give  false  posi¬ 
tives  on  uninfected  machines.  0 


VENDOR  PATCHWORK 

When  it  comes  to  a  complete 
product  for  patch  management,  no 
single  vendor  meets  all  the  needs  of 
most  IT  buyers. 

OQuickLink:  30913  " 

www.computerworld.com  Collett  is  a  freelance  writer  in  Sterling,  Va. 
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SYBASE  e-BUSINESS  SOFTWARE.  EVERYTHING  WORKS 


SYBASE  PATRIOTcompliance  SOLUTION 


Direct  Post 


Switches 


Teller 

Platform 


Currency 


Clearings 


r 


j  Business  Process 
■  Management/ 
’Activity  Monitoring/ 
i  Integration  Tools 


Enterprise  Portal/ 
Application  Server 


Fraud 

Detection 

System 


SYBASE  SOLUTION  COMPONENTS 


DEPOSIT  ACCOUNTS 


LENDING  AND  CREDIT 


CORE  APPLICATIONS/SERVICES  ft  ASSOCIATED  INFORMATION  REPOSITORIES’ 


The  USA  PATRIOT  Act  now 
presents  everyone  with 
an  enormous  information 
integration  challenge.  The 
experts  agree  that  manual 
review  processes  for  your 
customers  and  their  financial 
transactions  will  no  longer 
suffice.  Non-compliance  is 
not  an  option.  The  only  question 
facing  you  is:  who  should  you  engage  as 
your  partner  in  implementing  a  solution? 

THE  SYBASE  APPROACH 

Our  approach  leverages  the  knowledge  and 
capabilities  we've  developed  over  nearly  20 
years  of  managing  information,  application 
and  process  integration. 

The  Sybase  PATRIOTcompliance  Solution 
helps  you  satisfy  the  integration  requirements 
of  the  USA  PATRIOT  Act  by  implementing  a 
totally  automated  process  for  filtering  your 
customers,  employees  and  suppliers  against 
known  suspects,  and  for  continuously 
monitoring  their  activities.  Our  solution 
is  operationally  unobtrusive,  secure  and 
cost-effective. 

THE  FIRST  STEP 

Our  first  step  is  a  Business  Requirements 
Assessment  that  helps  determine  your 
organization's  unique  needs. 

We  work  with  you  to  understand  your  front 
and  back  office  infrastructure.  We  embrace 
the  technologies  and  product  standardization 
of  your  environment.  We  extend  the  Anti- 


The  Software 
Integration  Company 

We  can  help  you  integrate  all  the 
disparate  data  and  business  applications 
running  in  your  enterprise  and  extend 
them  to  any  location  in  the  world: 
platforms,  application  servers, 
components,  databases,  applications, 
processes,  integration  brokers,  even 
mobile/wireless  solutions.  By  choosing 
Sybase,  you  can  preserve  and  extend 
your  existing  infrastructure  investments, 
avoid  proprietary  traps,  and  improve 
efficiency  across  the  enterprise. 


Money  Laundering  and  Bank  Secrecy  Act 
investments  you've  already  made.  We 
make  our  solution  work  for  your  people. 

Having  tuned  our  PATRIOTcompliance 
Solution  to  your  environment,  we  implement, 
rigorously  test  (to  the  very  exacting  standards 
we  developed  to  earn  ISO  9001/TicklT 
Certification)  and  deploy  the  solution. 


and  an  array  of  adapters  (F.I.X.,  SWIFT,  Flat 
Files,  database,  CICS,  and  others)  for  accessing 
and  presenting  demographic  and  transaction 
information  from  your  core  systems. 

BPI  Suite  is  a  comprehensive  set  of  tools  to 
enable  you  to  rapidly  build,  manage,  monitor 
and  improve  complex  business  processes.  It 
also  speeds  the  development  of  Web  services, 


*  including  correspondent,  dearing-and  settlement  ’ 

”  including  specific  account  holder  information 

This  is  a  typical  architecture  for  a  depository  financial  institution.  It  can  be  easily  modified  to  fit  your  environment. 


Simultaneously,  we  are  training  your  key 
users  and  administrators.  So  when  our  work 
is  done,  yours  can  go  on. 

IN  THE  END  IT  LOOKS  LIKE  THIS 

Every  solution  will  obviously  be  unique. 

But  typically,  you'll  find  a  secure  front-end 
employing  the  Sybase  Enterprise  Portal,  with 
pre-built  capabilities  for  list,  filter  and  rules 
management,  searches  across  applications 
and  data  stores,  internal  and  external 
communications,  management  of  the 
investigation  process,  maintenance  of 
search  and  investigation  histories  and, 
of  course,  reporting  and  presentations. 

Tying  everything  together  is  the  Sybase 
Business  Process  Integrator  (BPI)  Suite 


so  you  can  quickly  connect  applications  to 
other  agencies  or  other  financial  institutions. 

Get  a  complete  solution  that  doesn't  require 
you  to  start  from  scratch.  We  have  the 
tools  and  skills  to  have  you  in  compliance 
before  October.  And  who  could  have  an 
issue  with  that? 

We  can  help  you  get  started  right  away  at 
www.sybase.com/integrationsolutions. 


i  Sybase 


The  USA  PATRIOT  Act  contains  strong  measures  to  prevent,  detect  and  prosecute  terrorism  and  international  money  laundering,  greatly  expanding  the  breadth 
and  depth  of  the  old  laws.  Broadly  stated,  the  act  requires  that  financial  institutions  know  their  customers  and,  to  the  greatest  extent  possible,  their  customers' 
customers.  Compliance  for  bankers  and  securities  dealers  is  required  by  October  2002.  Non-compliance  could  involve  costly  civil  and  criminal  penalties. 


©2002  Sybase.  Inc.  All  rights  reserved.  All  trademarks  are  the  property  of  their  respective  owners. 
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A  computer  incident  re¬ 
sponse  team,  or  CIRT,  is 
a  lot  like  a  firefighting 
crew  —  both  are  com¬ 
posed  of  individuals 
trained  to  respond  quick¬ 
ly  to  specific  incidents 
with  the  goal  of  limiting  damage  and  re¬ 
ducing  recovery  time  and  costs. 

“Like  a  fire  department,  you  can  use 
[CIRTs]  for  actual  incident  response 
and  for  cleanup,  for  education  and  for 
drills,”  says  Richard  Mogull,  an  analyst 
at  GartnerG2  in  Stamford,  Conn. 


A  CIRT  may  be  activated  by  virus 
or  hacker  attacks,  internal  sabotage  or 
even  suspicious  activity,  such  as  suc¬ 
cessive  attempts  to  gain  access  to  a  sys¬ 
tem  or  transactions  that  fall  outside 
preset  boundaries  —  such  as  a  money 
transfer  exceeding  $1  million. 

Incident  response  at  companies  that 
don’t  have  a  CIRT  tends  to  be  expen¬ 
sive  and  ad  hoc,  says  Steve  Romig,  man¬ 
ager  of  the  network  security  group  at 
Ohio  State  University  in  Columbus. 

And  there’s  more  than  money  on  the 
line.  Companies  that  fail  to  react  quick¬ 


ly  to  security  incidents  stand  to  suffer 
damage  to  their  reputations  and  lose 
customers. 

A  CIRT’s  key  mission,  therefore,  is  to 
orchestrate  a  speedy  and  organized 
companywide  response  to  computer 
threats.  The  following  are  some  tips  for 
building  that  capability: 

KNOW  YOUR  CONSTITUENCY  De 

cide  which  computers,  address  ranges 
and  domains  will  be  monitored  for  inci¬ 
dents,  says  Romig.  Know  what  services 
the  CIRT  will  provide  and  to  whom. 
Develop  policies  for  when  to  disclose 
security  breaches  and  when  to  report 
an  incident  to  law  enforcement  agen¬ 
cies,  Romig  says.  And  be  sure  to  adver¬ 
tise  contact  information  for  the  CIRT 
throughout  the  company,  he  adds. 

ASSEMBLE  THE  TEAM  Figure  out 

which  department  the  CIRT  should  be 
in  and  who  should  head  it.  Many  com¬ 
panies  put  the  team  within  the  IT 
group,  although  others  add  the  CIRT  to 
the  security  or  audit  group,  or  make  it  a 
stand-alone  function,  says  Georgia  Kil- 
crece,  a  member  of  the  CERT  Coordi¬ 
nation  Center  at  Carnegie  Mellon  Uni¬ 
versity  in  Pittsburgh. 

“Wherever  it  sits,  [a  CIRT]  will  not 
succeed  without  management  sup¬ 
port,”  she  says,  because  the  team  may 
require  cooperation  among  multiple 
departments,  such  as  legal  and  human 
resources. 

The  incident  response  team  at  the 
University  of  Wisconsin-Madison  has  a 
process  for  calling  in  its  legal  depart¬ 
ment  and  local  law  enforcement  when 
incidents  involve  activities  such  as 
computer-related  harassment,  says  Kim 
Milford,  information  security  manager 
at  the  university. 

Companies  that  can  afford  it  some¬ 
times  maintain  a  formal  team  of  spe¬ 
cialists  whose  sole  task  is  to  respond  to 
external  and  internal  security  breaches. 

For  example,  one  financial  services 
firm  has  a  core  incident  response  team 
of  12  full-time  specialists.  Additional 
members  are  pulled  in  from  the  compa¬ 
ny’s  human  resources  and  legal  depart¬ 
ments  to  assist  this  core  team  if  neces¬ 
sary,  says  the  company’s  IT  director, 
who  requested  anonymity. 


The  University  of  Wisconsin-Madi¬ 
son  has  entrusted  the  task  of  coordinat¬ 
ing  incident  response  to  one  full-time 
worker.  That  person  acts  as  a  central 
point  of  contact  for  reporting  and  re¬ 
sponding  to  incidents.  Along  with  the 
university’s  IT  security  group,  the  em¬ 
ployee  is  responsible  for  assessing  the 
scope,  priority  and  threat  level  of  an  in¬ 
cident,  as  well  as  for  suggesting  a  re¬ 
sponse,  Milford  says. 

CREATE  A  SWAT  TEAM  Maintaining  a 

full-time  incident  response  team  can  be 
expensive,  so  many  companies  choose 
to  have  an  ad  hoc  incident  response 
team  that  can  come  together  quickly 
when  needed,  says  Mogull. 

Providence  Health  System  creates 
SWAT  teams  to  respond  to  specific  in¬ 
cidents,  such  as  virus  infections,  says 
David  Rymal,  director  of  technology  at 
the  Seattle-based  health  care  provider. 

“We  use  pager  alerts  and  call  an  inci¬ 
dent  response  meeting  of  the  function¬ 
al  groups  designated  to  respond  to  such 
incidents.  In  that  meeting,  we’ll  set  a 
plan  of  action  and  a  communication 
plan”  for  dealing  with  the  threat,  Rymal 
explains. 

But,  he  adds,  Providence  Health  Sys¬ 
tem  doesn’t  have  formal  methods  of 
maintaining  a  CIRT  beyond  knowing 
the  key  players  and  who  responds  to 
which  types  of  incidents. 

GET  ORGANIZED  Have  written  poli¬ 
cies  and  procedures  and  assign  respon¬ 
sibilities  upfront,  says  the  financial  ser¬ 
vices  firm’s  IT  director.  “We  maintain  a 
formal  list  with  names,  cell  phone  num¬ 
bers  and  beeper  [numbers]  of  people 
who  can  be  called  in  to  assist  the  core 
team,”  he  says. 

Figure  out  what  equipment  you’ll 
need,  where  you’ll  house  it  and  how 
you’ll  protect  the  CIRT  function.  You 
don’t  want  unauthorized  people  access¬ 
ing  information  that  a  CIRT  may  un¬ 
cover  during  a  response,  Kilcrece  says. 

None  of  this  does  any  good  if  the  plan 
merely  sits  on  a  shelf.  Conduct  frequent 
drills  and  mock  exercises,  especially  for 
ad  hoc  teams,  the  financial  services  IT 
director  says,  adding,  “Remember,  it  is  a 
process  that  you  have  to  do  right  but 
hope  you  never  have  to  use.”  ft 


With  money  and  reputation  on  the 
line,  a  computer  incident  response 
team  must  be  speedy  and  organized. 
By  Jaikumar  Vijayan 
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www.nttverio.com/ad 

Offering  solutions  with  guaranteed  results. 


The  NTT/VERIO  Global  IP  Network  employs  a  Tier  One  global  IP  backbone  covering  the  Americas,  Asia, 
Europe,  and  Australia.  Backed  by  NTT  Communications,  a  part  of  the  world's  largest 
telecommunications  group,  the  NTT/VERIO  Global  IP  Network  provides  Dedicated  Internet  Access  with 
built-in  redundancies,  and  speeds  ranging  from  T1  to  0C12  so  you  always  get  your  data  where  and 
when  you  need  it.  Designed  and  built  from  the  ground  up  to  carry  IP  traffic,  this  Tier  One  Global  IP 
Network  is  monitored  24  hours  a  day  and  365  days  a  year  in  state-of-the-art  Network  Operations 
Centers.  The  NTT/VERIO  Global  IP  Network  also  provides  you  with  a  scalable  and  flexible  range  of 
global  IPSec  VPN  solutions,  including  Global  IP  Security  Gateway  Services.  And  behind  it  all  are  the 
most  experienced  technical  staff  and  most  aggressive  global  SLAs  in  the  industry. 
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Dedicated  Hosting 


Data  Centers 


Visit  www.nttverio.com/ad  to  find  out  more  about  how  we  can  help  you  and  your  data  get 
where  you're  going. 


Arcstar  Global  Network  Services 


NTT/VERIO 
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M  Forensics  is  neither 
pro-prosecution 
nor  pro-defense;  it’s  the 
pursuit  of  the  truth. 

MORGAN  WRIGHT.  SENIOR  INFORMATION 
SECURITY  SPECIALIST  AT  UNISYS  CORP.  ► 


IT  could  be  A  series  of  erroneous 
corporate  earnings  statements 
or  the  unwitting  loss  of  valuable 
trade  secrets  or  customer  data.  It 
could  be  a  string  of  sexual  harass¬ 
ment  allegations  all  pointing  to  one  se¬ 
nior  manager.  Or  it  could  be  improper 
Internet  usage  that  forces  you  to  termi¬ 
nate  an  employee,  who  then  sues  for 
wrongful  dismissal. 

Whatever  the  cause,  these  potential¬ 
ly  disastrous  scenarios  can  be  solved 
or  proven  only  with  the  help  of  IT  pro¬ 
fessionals  with  the  right  set  of  skills  to 
investigate  computer  crimes. 

Once  thought  of  as  the  exclusive 
realm  of  violent-crime  experts,  foren¬ 
sics  is  fast  becoming  a  mandatory 
skills  set  for  companies  that  need  to 
show  that  computer  crimes  don’t 
go  unsolved  or  unpunished.  It’s  the 
painstaking  and  methodical  sifting  of 
data  with  one  goal  in  mind:  to  gather 
evidence  that  will  stand  up  in  court. 
Here  are  some  tips  from  the  experts  to 
make  sure  you  win  your  case. 

Lay  the  Legal  Groundwork 

Computer  forensics  is  the  identifica¬ 
tion,  extraction,  preservation  and  doc¬ 
umentation  of  computer  evidence  that 
will  stand  up  to  legal  challenges  about 
its  authenticity,  accuracy  and  integrity. 
Think  of  it  as  an  autopsy  of  a  computer 


Mistakes  by  a  well-meaning  IT  staff  could  taint 
evidence  and  derail  a  court  case.  By  Dan  Verton 


i 
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KNOWLEDGE  CENTER  SECURITY 


Forensics  for 
The  Rest  of  Us 

What  nonexperts  should  do  first 
in  a  computer  crime  investigation: 

DO  isolate  the  target  system. 

Bring  in  legal  support,  and  determine 
the  scope  of  the  investigation. 

DON’T  power  on  or  boot  up  the  system. 


DO  obtain  copies  of  backup 
tapes  from  the  local  and  regional  IT 
departments  within  your  company. 
Bag,  tag  and  secure  them. 

DO  preserve  the  data’s  evidentiary 
value  by  bagging  and  tagging  all  hardware, 
storing  it  tn  a  vault  or  secure  area  and 
keeping  a  log  of  access  to  evidence. 


system  with  the  goal  of  determining 
whether  a  crime  has  been  committed 
and  by  whom  and  later  proving  it. 

“Computer  forensics  is  a  process  or 
methodology  to  discover  or  refute  an 
area  of  inquiry,”  says  Morgan  Wright,  a 
senior  information  security  specialist 
at  Unisys  Corp.  in  Blue  Bell,  Pa.,  and 
a  board  member  of  the  International 
Association  of  Computer  Investigative 
Specialists  in  Donahue,  Iowa. 

Computer  forensics  is  knowing,  for 
example,  that  your  company’s  trade 
secrets  have  been  leaked  to  a  rival  and 
then  proving  or  disproving  that  the 
employee  you  suspect  of  committing 
the  breach  is  responsible.  “Once  you 
understand  what  the  objective  is,  that’s 
when  you  start  your  forensic  investiga¬ 
tion,”  says  Wright.  “Forensics  is  nei¬ 
ther  pro-prosecution  nor  pro-defense; 
it’s  the  pursuit  of  the  truth.” 

Hire  Trained  Investigators 

Wright  says  the  key  difference  be¬ 
tween  standard  employee  monitoring 
and  a  forensics  investigation  is  the  goal 
of  preserving  evidence  that  will  stand 
up  to  legal  challenges  in  court.  He  cites 
as  an  example  the  investigation  of  an 
acceptable-use  violation,  which  might 
include  looking  into  the  user’s  history 
and  proxy  servers. 

“On  the  other  hand,  let’s  say  that 
same  employee  downloaded  child 
pornography.  Now,  a  system  adminis¬ 
trator  who  is  not  trained  in  forensics 
can  accidentally  trample  over  a  lot  of 
key  evidence,”  says  Wright. 

The  most  common  mistake  that 
companies  make  when  it  comes  to 


computer  forensics  is  thinking  that 
their  own  systems  administrators  are 
capable  of  conducting  a  professional 
forensics  investigation,  says  Thomas 
Aleman,  national  leader  of  analytic 
and  forensic  technology  at  Deloitte  & 
Touche  LLP’s  Computer  Forensic  and 
Investigative  Services  Group. 

“The  IT  department  is  typically  not 
trained  and  doesn’t  have  the  appropri¬ 
ate  tools,”  says  Aleman.  “They  turn  on 
the  machine  under  investigation,  and 
as  happens  when  machines  are  pow¬ 
ered  on,  critical  data  starts  changing.” 

In  fact,  Aleman  recalls  a  case  where 
the  IT  department  at  a  large  manufac¬ 
turing  firm  was  called  in  to  recover 
data  from  the  computer  of  a  termi¬ 
nated  employee  who  claimed  to  have 
been  wrongfully  dismissed.  The  ad¬ 
ministrators  first  turned  on  the  sus¬ 
pect’s  computer.  “The  reality  was  that 
critical  files  had  changed.  And  from  a 
prosecution  standpoint,  the  terminated 
employee  was  then  in  a  position  to  ar¬ 
gue  that  incriminating  data  was  not  in 
his  system  when  he  left,”  he  says. 

Aleman  says  other  aspects  of  foren¬ 
sics  investigations  could  trip  up  typi¬ 
cal  administrators.  For  example,  local 
administrators  at  branch  offices  aren’t 
always  aware  of  the  regional  data  back¬ 
up  schedules  at  larger  companies,  he 
says.  That  could  pose  a  problem  if 
defense  lawyers  question  them  about 
the  version  and  timeliness  of  the  data 
they’re  presenting  in  court. 

Such  oversights  could  seem  minor 
to  most  IT  managers,  but  they  can 
mean  the  difference  between  a  suc¬ 
cessful  prosecution  (or  defense)  in 
court  and  watching  your  case  unravel, 
says  Matt  Yarbrough,  a  former  assis¬ 
tant  U.S.  attorney  who  spearheaded 
the  formation  of  the  North  Texas  Re¬ 
gional  Computer  Forensic  Laboratory, 
the  largest  of  its  kind  in  the  U.S.  Of  the 
10  economic  espionage  cases  brought 
to  his  office,  only  one  made  it  to  court, 
Yarbrough  says.  The  rest  were  under¬ 
mined  by  tainted  forensic  evidence. 

“As  a  prosecutor,  there’s  nothing 
worse  than  a  company  that  sponsors 
its  own  evidence  in  court,”  says  Yar¬ 
brough,  who  is  now  an  attorney  at 
Fish  &  Richardson  PC  in  Dallas. 
“Being  a  super  system  administrator 
doesn’t  make  you  a  forensics  evidence 
expert  capable  of  bringing  evidence 
into  the  courtroom.”  ► 


FORENSICS  RESOURCES 


Assisting  in  a  forensics  investigation  can  be  a 
complicated  business,  but  there  are  resources 
available  to  help. 


OQuickLink:  30849 

www.computerworld.com 


Forensics 

Tricks  of  the  Trade 

What  the  experts  do  first  in  a  computer  crime  investigation: 

OSET  UP  LUNCHB0XES 

According  to  Matt  Yarbrough,  a  former  assistant  U.S.  attor¬ 
ney,  forensics  experts  use  “lunchboxes,”  or  special  computers 
plugged  into  the  suspect’s  system  that  allow  investigators  to  exam¬ 
ine  a  machine  without  turning  on  its  power  and  booting  from  the 
drive.  A  lunchbox  creates  a  bit-by-bit,  sector-by-sector  mirror  of  the 
machine.  It  then  produces  reports  that  are  generated  by  one  of 
several  software  packages  used  by  law  enforcement  agencies  such 
as  the  FBI. 


OC0PY  SLACK  SPACE 

“Copying  both  active  and  unallocated  space,  called  slack 
space,  is  also  critical,”  says  Kristin  Nimsger,  associate  legal  counsel 
and  electronic  discovery  consultant  at  Eden  Prairie,  Minn.-based 
Ontrack  Data  International  Inc.  This  is  important  because  deleted 
files  are  never  really  deleted;  they  are  merely  stored  in  slack  space. 

O  RECORD  THE  CHAIN  OF  CUSTODY 

Nimsger  also  recommends  creating  an  electronic  log  to 
record  access  to  the  original  copy  of  the  drive.  This  protects  the 
chain  of  custody  of  the  evidence.  And  before  any  analysis  is  con¬ 
ducted,  she  advises  defining  the  scope  of  the  investigation  so  as 
not  to  stumble  into  any  privacy  violations. 


O  ISOLATE  THE  SUSPECT  SYSTEM 

Forensics  investigations,  especially  ones  that  will  produce 
admissible  evidence,  don’t  end  after  a  copy  of  the  suspect’s  hard 
drive  is  made.  It’s  critical  that  the  suspect  system  is  locked  down 
and  isolated  immediately,  says  Yarbrough. 

Once  an  image  of  the  hard  drive  has  been  captured,  the  hard 
drive  should  be  bagged  and  tagged,  or  placed  in  a  container  in  a 
secure  evidence  vault  with  a  seal  that’s  properly  labeled  and  dated 
to  show  that  it  hasn’t  been  tampered  with.  All  analysis  should  be 
conducted  on  the  copies  only. 

At  the  end  of  the  day,  it  all  comes  down  to  convincing  a  judge 
that  the  data  you  are  presenting  in  court  is  in  fact  what  you  say  it  is, 
says  Yarbrough. 

©CREATE  A  TASK  LIST 

A  thorough  investigation  can  take  anywhere  from  20  to  30 
hours,  says  Morgan  Wright,  a  senior  information  security  specialist 
at  Unisys  Corp.  “Therefore,  it’s  important  to  have  a  checklist  and  to 
conduct  every  step  as  if  it’s  going  to  end  up  in  court,”  he  says. 


o 


USE  AUTOMATION  TOOLS  ONLY 


TO  SUPPLEMENT  EXPERTISE 

There  are  many  automated  tools  to  help  with  an  investigation.  They 
include  Symantec  Corp.’s  Norton  Disk  Edit,  AccessData  Corp.’s 
Forensic  Tool  Kit,  Guidance  Software  Inc.’s  Encase  and  Raytheon 
Co.'s  Silent  Runner.  But,  Wright  warns,  “you  should  not  be  using 
automation  to  [make  up  for]  lack  of  experience.” 

-  Dan  Zerton 
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Watch  Out 
For  Wireless 
Rogues 

Employees  are  bringing  unsecured  wireless 
LAN  access  points  through  the  back  door. 
Here’s  how  to  fight  back.  By  Bob  Brewin 


wenty  years  ago,  employ¬ 
ees  starting  sneaking  PCs  into 
the  office,  under  the  radar  of 
mainframe-oriented  IT  de¬ 
partments. 

Now,  tens  of  thousands  of  unautho¬ 
rized  wireless  LAN  hardware  devices 
called  access  points  (AP)  have  popped 
up  in  enterprise  networks  nationwide, 
according  to  analysts,  vendors  and 
users.  The  majority  of  these  rogue  APs 
are  being  brought  in  through  the  back 
door  without  the  IT  unit’s  knowledge. 
They’re  installed  by  employees  who 
crave  mobility  and  don’t  mind  spend¬ 
ing  $200  or  less  for  a  wireless  AP. 

It’s  “a  classic  example  of  technology 
bypassing  corporate  IT,”  says  Dave 
Bray,  director  of  network  technology  at 
ADC  Telecommunications  Inc.  in  Eden 
Prairie,  Minn.  But  the  proliferation  of 
unauthorized  APs  is  a  far  more  serious 
threat  than  the  stand-alone  PCs  that 
were  brought  in  20  years  ago,  he  says. 

These  industry-standard  802.11b,  or 
Wi-Fi,  devices  are  plugged  directly 
into  an  enterprise  network,  often  be¬ 
hind  a  firewall.  They  transmit  sensitive 
data  that  can  be  easily  picked  up  by  a 


snoop  using  freeware  hacking  tools 
and  a  $99  wireless  LAN  card  while  sit¬ 
ting  in  an  office  parking  lot. 

$ophisticated  hackers  don’t  even 
need  to  be  near  the  premises  to  pick 
up  a  signal.  Using  long-range  antennas 
—  either  commercial  products  or 
home-brew  devices  crafted  from,  say, 
Pringles  potato-chip  cans  or  coffee 
cans  —  they  can  pick  up 
802.11b  signals  from  1,000  to 
2,000  feet  away. 

These  serious  hackers 
could  be  exploiting  what 
analysts  call  “malicious” 

APs  that  are  secretly  in¬ 
stalled  in  an  Ethernet  net¬ 
work  by  people  who  have  easy  access 
to  property,  such  as  maintenance  per¬ 
sonnel.  Thor  Sigvaldson,  director  of 
the  advanced  technology  group  at 
PwC  Consulting  in  New  York,  says  it’s 
an  easy  form  of  industrial  espionage. 
“You  just  stick  one  [wireless  AP]  into  a 
network.  It  doesn’t  even  need  mainte¬ 
nance,”  he  says. 

Sigvaldson  estimates  that  any  U.S. 
enterprise,  branch  office,  plant  or  store 
with  more  than  50  employees  probably 


has  one  or  more  rogue  APs. 

Bray  says  IT  managers  should  adopt 
policies  that  welcome  the  wireless 
LAN  technology  but  protect  networks 
at  the  same  time. 

“We  don’t  want  to  inhibit  the  tech¬ 
nology,  but  we  do  want  it  installed  in  a 
secure  fashion,”  he  says.  “We  now  have 
a  policy  against  installing  wireless 
LANs  without  corporate  IT  approval.” 

IT  managers  also  have  to  engage  in  a 
time-consuming  wireless  AP  “discov¬ 
ery  process”  to  hunt  down  unautho¬ 
rized  installations,  says  Bray. 

ADC  initially  sent  staffers  to  walk 
around  the  company’s  100-plus  facili¬ 
ties  worldwide  with  wireless  LAN- 
equipped  laptops  and  “sniffer”  soft¬ 
ware  to  detect  rogue  APs.  The  staffers 
found  an  unspecified  number  of  rogue 
APs  in  manufacturing  facilities,  but 
none  in  office  operations,  Bray  says. 

Vendors  take  various  approaches  to 
automating  this  process.  AirDefense 
Inc.  in  Alpharetta,  Ga.,  provides  a  suite 
of  tools  that  make  it  easy  to  pinpoint 
the  electronic  signatures  of  the  majori¬ 
ty  of  wireless  LAN  APs  and  access 
cards  on  the  market.  The  AirDefense 
tool  set  includes  sniffers  that  can  de¬ 
tect  802.11b  transmissions,  so  that 
signatures  of  unknown  APs  can  be 
compared  to  a  database 
of  authorized  gear. 

Finisar  Corp.  in  Sunny¬ 
vale,  Calif.,  recently  intro¬ 
duced  a  wireless  LAN 
spectrum  analyzer  that  can 
help  pinpoint  unauthorized 
APs.  IBM  last  month  intro¬ 
duced  the  Distributed  Wireless  Securi¬ 
ty  Auditor,  which  uses  authorized 
wireless  clients  as  sensors  to  detect 
rogue  APs  [QuickLink:  30667]. 

The  Sniffer,  from  Network  Associ¬ 
ates  Inc.  in  Santa  Clara,  Calif.,  works 
from  the  wired  side  of  the  network, 
using  tools  such  as  Simple  Network 
Management  Protocol  to  determine 
the  IP  address  of  all  wireless  devices. 

Securing  wireless  LANs  against 
rogue  APs  and  hackers  can  be  costly, 


WIRELESS 
LAN  SECURITY 

Learn  about  three  products  for 
detecting  rogue  wireless  LAN  APs. 

©  QuickLink:  30856 
www.computerworld.com 


How  to  Defend 
Against  Rogue 
Access  Points 

POLICY 

■  Establish  a  no-exceptions 
policy  against  the  use  of  wireless 
LANs  without  approval  of  the  IT 
department. 

■  Set  up  an  amnesty  program 
that  will  allow  employees  to  dis¬ 
close  their  self-installed  APs  to 
the  IT  department  within  a  one- 
month  period. 

■  Encourage  use  of  properly  in¬ 
stalled,  configured  and  secured 
wireless  LANs  -  if  the  business 
case  justifies  their  use. 


DISCOVERY 

■  Use  sniffing  tools  to  physically 
survey  all  facilities  for  wireless 
LAN  signals,  and  then  zero  in  on 
unauthorized  devices. 

■  Don’t  ignore  low-tech,  small 
or  obscure  operations,  such  as 
truck  terminals,  loading  docks, 
branch  offices,  factories  and  the 
maintenance  department.  It 
takes  only  one  rogue  AP  to  open 
up  an  enterprise  network. 


MAINTENANCE 

■  Continue  to  issue  reminders 
of  the  no-exceptions  policy. 

■  Sniff  premises  periodically. 

■  Consider  centrally  managed 
systems  for  detecting  rogue  APs 
within  large  organizations. 


says  Chris  Kozup,  an  analyst  at  Meta 
Group  Inc.  in  Stamford,  Conn. 

“The  cost  of  truly  securing  a  wire¬ 
less  LAN  will  run  anywhere  from  10% 
to  100%  of  the  hardware  cost,”  Kozup 
says.  “Once  we  walk  customers 
through  this,  they  sometimes  decide 
wireless  is  too  expensive.”  > 


EXCLUSIVE  COMPUTERWORLD  SURVEY 


Secrets  in  the  Air 


A  survey  of  159  IT  professionals  finds  that  almost  half  of  them  aren’t  confident  that  all  of 
their  wireless  LAN  access  points  are  secured.  And  30%  have  found  rogue  APs. 


Are  you  confident  that 
any  and  ail  wireless 
IAN  APs  ir;  your 
organization  have 
been  identified 
and  secured"'' 


Don’t  know  13.2% 


Do  you  have  a 
written  policy 
against  employees 
installing  their  own 
wireless  LAN  net¬ 
working  gear  (with¬ 
out  IT  department 
involvement)? 


Don’t  know  10.7% 


Have  you  identified 
any  rogue  wireless 
APs  in  your 
organization? 


Don’t  know  12.6% 


Do  you  “sniff"  or 
monitor  your  cor¬ 
porate  premises 
to  determine  the 
existence  of  rogue 
wireless  APs? 


Don’t  know  8.2% 


BASE:  159  IT  PROFESSIONALS  FAMILIAR  WITH  WIRELESS  LAN' 


SURVEY  WAS  CONDUCTED  JUNE  4-21  ON  COMPUTERWORLD.COM 
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ECHNOLOGY 


TODAY 


auite  clear  that  technology 
Irmeated  all  facets  of  our 
lives.  Today’s  computer 
are  highly  distributed 
implex,  with  network 
srywhere  and  multiple 
particular  destination. 


When  it  comes  to  targeted  hacker  attacks,  Trojan  horses  and  spyware  preying  on  your  data,  the 
last  thing  you  want  is  to  “read  all  about  it.”  Hackers  not  only  steal  and  destroy  valuable  information,  they  undermine 
your  customer  trust  and  brand  equity  —  wounds  that  can  leave  you  bleeding  red  ink. 

No  need  to  get  paranoid  —  get  Zone  Labs.  Our  security  solutions  maintain  your  good  reputation  and  safeguard  critical  data  by 
protecting  your  enterprise  network  from  new  and  unknown  hacker  attacks.  In  fact,  Integrity™  is  the  distributed  firewall  solution  that 
protects  data  and  productivity  by  securing  vulnerable  remote  and  mobile  PCs.  So  whether  you  need  centrally  managed  security  or 
a  stand-alone  solution,  Zone  Labs  easily  protects  your  entire  enterprise  network.  Which  is  good  news  for  you,  bad  news  for  hackers. 

For  the  full  story,  call  us  at  1-877-876-4960  or  visit  www.zonelabs.com/hackerdefense  and  download  our  whitepaper: 

"New  Threats,  New  Solutions”  And  as  luck  would  have  it,  you’ll  find  plenty  of  information  on  all  our  proven  enterprise  security  solutions. 
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Distributing  IT  re¬ 
sources  across  multi¬ 
ple  locations  could 
make  it  easier  to  re¬ 
cover  from  a  disaster. 
By  James  Cope 

THE  TERRORIST  ATTACKS  on  the 
U.S.  last  September  fundamental¬ 
ly  changed  the  way  some  IT  man¬ 
agers  think  about  disaster  recovery. 
“It’s  no  longer  a  matter  of  plan¬ 
ning  what  to  do  should  fire  or  flooding  prevent  ac¬ 
cess  to  buildings,”  says  Bob  Fucito,  vice  president  of 
crisis  management  and  business  continuity  at  invest¬ 
ment  banking  firm  BNP  Paribas.  Today,  businesses 
have  to  prepare  for  the  ultimate  Security  risk:  what  to 
do  when  people  and  buildings  are  intentionally  tar¬ 
geted  and  destroyed. 

Fucito  should  know.  His  duties  include  managing 
disaster  recovery  for  Paris-based  BNP  Paribas’  North 
American  operations.  And  he  says  he’s  thankful  that 
his  company’s  executives  supported  the  creation  of  a 
disaster  recovery  plan  that  emphasizes  distribution 
of  IT  resources  —  two  years  before  the  Sept.  11 
attacks.  The  company  had  to  evacuate  its  New  York 
City  building  after  the  attacks,  but  Fucito  says  having 
two  separate  data  centers  and  a  contract  with  a  hot- 
site  recovery  provider  put  BNP  Paribas  in  a  better 
position  to  continue  doing  business. 

BNP  Paribas  isn’t  alone  in  thinking  that  having  IT  re¬ 
sources  in  one  building  or  on  a  single  network  isn’t  a 
good  idea.  Other  major  organizations,  such  as  The 
Boeing  Co.,  United  Air  Lines  Inc.,  the  Chicago  Board 


of  Trade  and  the  U.S.  Postal  Service,  try  to  mitigate  the 
risk  to  IT  resources  by  distributing  data,  applications 
and  network  infrastructure.  They  also  have  redundant 
communications  links  at  the  ready. 

All  of  those  organizations  have  the  same  goal:  to 
quickly  recover  or  even  seamlessly  continue  doing 
business  when  disaster  strikes.  But  they  have  differ¬ 
ent  ways  to  accomplish  it.  Here  are  four  approaches 
that  major  companies  are  using  to  stay  prepared. 


1  Redundancy  and  multiple  routes:  UAL  Loyalty 
Services  Inc.  in  Schaumburg,  Ill.,  an  online 
customer  service  unit  of  United  Air  Lines 
parent  UAL  Corp.,  is  installing  duplicate  sys¬ 
tems  at  two  company-owned  and  -operated 
data  centers.  Both  are  in  the  Chicago  area, 
says  Igor  Rafalovsky,  director  of  networking  and  se¬ 
curity,  but  the  facilities  are  geographically  separated. 
A  metropolitan-area  network  capable  of  gigabit 
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speeds,  known  as  a  GigaMAN,  connects  the  two  cen¬ 
ters,  Rafalovsky  says.  Moreover,  each  data  center  is 
connected  over  T3  lines  running  to  separate  Private 
Network  Access  Points  (P-NAP),  which  are  Internet 
backbone  connection  points  owned  and  operated  by 
Internap  Network  Services  Corp.  in  Seattle. 

And  even  at  the  P-NAPs,  traffic  going  to  and  from 
the  two  UAL  data  centers  runs  across  multiple  Inter¬ 
net  backbones  from  different  providers,  such  as 
Sprint  Corp.,  WorldCom  Inc.  and  others.  A  P-NAP 
may  have  up  to  six  or  eight  backbone  providers  online 
and  available  at  any  given  time. 

Both  UAL  data  centers  host  Web  servers,  applica¬ 
tions  and  databases.  Disk  storage  is  synchronized  in 
real  time  over  the  GigaMAN,  and  both  data  centers 
are  online  all  the  time.  “In  the  case  of  a  catastrophic 
failure  of  one  data  center,  the  other  one  just  picks  up 
the  traffic,  in  many  cases  without  interruption  ...  or 
manual  intervention,”  Rafalovsky  says. 
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2  Outsourced  hot  sites:  When  BNP  Paribas 
IT  employees  evacuated  their  building 
in  New  York  in  response  to  the  terrorist 
attacks,  they  moved  to  the  company’s 
other  data  center  in  New  Jersey  to  con¬ 
tinue  operations.  Even  so,  Fucito  says  his 
firm  also  has  a  contract  with  New  York-based 
SchlumbergerSema  to  provide  off-site  hot  sites. 

Hot  sites  duplicate  the  mission-critical  parts  of  a 
company’s  IT  systems  in  secure  buildings  miles  away 
from  the  primary  sites.  IT  workers  can  go  to  hot  sites  to 
initiate  recovery  or  simply  resume  work. 

John  Kersley,  SchlumbergerSema’s  vice  president 
of  business  recovery,  describes  how  it  works:  A  cor¬ 
porate  customer  configures  its  own  data  centers  to 
automatically  mirror  data  and  applications  to  the  ap¬ 
propriate  hot-site  recovery  center  (or  centers).  That 
company’s  IT  employees  are  assigned  physical  posi¬ 
tions  (desks  and  workstations)  at  a  specific  center 
and  instructed  on  how  to  get  there  if  there’s  a  crisis. 
When  the  company’s  workers  are  in  place  at  the  re- 


Advanced 
Tips 

■  You  can’t  predict  disasters.  So  be 

prepared  for  certain  outcomes,  such  as  being 
unable  to  enter  the  building. 

■  A  disaster  recovery  plan  should  be 
simple,  not  a  thick  binder  on  a  shelf.  It  should 
fit  on  one  sheet  of  paper  or  a  single  computer 
screen. 

■  The  plan  should  say  where  employees 
should  go,  whom  to  contact,  which  systems 
are  likely  to  be  affected  and  what  to  do  about 
them. 

■  Be  realistic.  It  may  not  be  possible  for  a 
Fortune  1,000  company  to  recover  from  a 
major  disaster  in  24  hours. 

SOURCES:  ALAN  PARIS.  CAPCO,  NEW  YORK; 

DAMIAN  WALCH,  T-SYSTEMS  INC.,  LISLE,  ILL. 

covery  center,  it  becomes  a  matter  of  patching  the 
data  through  to  the  off-site  desktops. 

Hot  sites  are  especially  appealing  to  financial  ser¬ 
vices  organizations  like  BNP  Paribas  and  the  Board 
of  Trade  Clearing  Corp.,  the  clearinghouse  for  the 
Chicago  Board  of  Trade,  which  has  a  hot-site  con¬ 
tract  with  SunGard  Data  Systems  Inc.  in  Wayne,  Pa. 

The  concept  also  has  value"  for  major  retailers.  For 
example,  Leeds,  England-based  ASDA  Group  Ltd.  — 
a  chain  of  food  and  clothing  superstores  owned  by 
Wal-Mart  Stores  Inc.  in  Bentonville,  Ark.  —  has  an 
agreement  with  SchlumbergerSema  to  send  select 
members  of  its  IT  staff  to  a  global  business  recovery 
center  if  a  disaster  closes  ASDA’s  own  IT  facilities. 


3  Blend  of  internal  and  external  redundancy: 

SunGard  and  SchlumbergerSema  say  the 
trend  is  toward  using  hot  sites  for  disas¬ 
ter  recovery.  But  Damian  Walch,  vice 
president  of  consulting  at  T- Systems  Inc. 
in  Lisle,  Ill.,  sees  the  trend  heading  in  the 
opposite  direction. 

“Companies  are  looking  at  internalizing  their  dis¬ 
aster  recovery  systems  and  moving  away  from  hot- 
site  providers,”  Walch  says.  However,  he  acknowl¬ 
edges  that  the  hot-site  idea  won’t  go  away  anytime 
soon  and  that  disaster  recovery  strategies  often  in¬ 
volve  a  blend  of  approaches. 

In  fact,  extremely  large  and  diverse  organizations, 
particularly  those  using  mainframes  in  addition  to 
PC  servers,  foster  redundancy  through  a  mix  of  mul¬ 
tiple  in-house  data  centers  and  mirrored  hot  sites. 

Chicago-based  Boeing,  for  example,  has  to  consid¬ 
er  the  specific  needs  of  business  units  and  the  com¬ 
munication  challenges  that  come  with  having  a  mul¬ 
titude  of  far-flung  locations. 

“Distributed  hot-site  contracts  tend  to  be  more  ex¬ 
pensive  with  mainframe  environments.  We  try  to 
consolidate  and  centralize  IT  but  also  avoid  the  risk 
of  too  many  megacenters  ...  by  having  geographic 
separation  [of  IT  facilities],”  says  Steve  Guzek,  Boe¬ 
ing’s  program  manager  for  disaster  recovery. 

Guzek  maintains  that  focusing  on  networks  is  the 
key  to  eliminating  single  points  of  failure. 

4  Satellite  backup:  Bob  Otto,  vice  president 
of  IT  at  the  U.S.  Postal  Service  (USPS)  in 
Washington,  says  he  could  see  the  smoke 
from  his  office  after  the  aircraft  struck  the 
Pentagon  on  Sept.  11. 

“We  then  evacuated  our  computer  cen¬ 
ter  of  our  Washington  facility  and  set  it  up  for  re¬ 
mote  management  from  our  Raleigh  [N.C.]  disaster 
center  and  immediately  instructed  our  data  centers 
in  California  and  Minnesota  to  begin  backing  up  to 
Raleigh,”  Otto  says. 

Then  Otto’s  group  learned  that  the  New  York  at¬ 
tacks  had  knocked  out  the  frame-relay  links  connect¬ 
ing  facilities  in  New  York  to  the  postal  service’s  wide- 
area  network.  So  the  USPS  pointed  its  VSAT  satellite 
system  toward  New  York,  and  the  city’s  post  offices 
were  almost  immediately  back  on  the  network. 

It  was  all  part  of  the  plan,  says  Larry  Wills,  manag¬ 
er  of  distributed  computing  for  the  USPS.  While 
frame-relay  land  lines  are  the  primary  network  con¬ 
nection  to  thousands  of  post  offices  across  the  U.S., 
the  USPS  has  11,000  VSAT  installations  nationwide, 
Wills  says.  The  VSAT  services  are  provided  by 
SpaceNet  Inc.  in  McLean,  Va. 

Generally,  the  switch-over  is  automatic:  When 
frame  relay  goes  down,  a  satellite  connection  takes 
over.  Wills  says  post  offices  generally  don’t  even 
know  when  it  has  happened.  I 


Cope  is  a  Computerworld  contributing  writer. 
He  can  be  reached  at  jc@jamescope.com. 


PLAN  AHEAD  WITH  THREE  VIEWS  OF  DISASTER 


Before  a  system  goes  down,  determine  how  the  loss  of  that  system 
affect  people,  technology  and  processes. 
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BY  DEBORAH  RADCLIFF 

T  least  once  each 
month,  Terra  Lycos 
SA’s  high-profile  In¬ 
ternet  media  prod¬ 
ucts,  such  as  Lycos 
Mail,  Tripod  and  Angelfire, 
come  under  a  denial-of-ser- 
vice  (DOS)  attack.  As  host  to 
more  than  300  distinct  Web 
sites  and  40.3  million  users, 
the  international  hosting  and 
Internet  media  company 
makes  an  obvious  target,  ex¬ 
plains  Tim  Wright,  chief  tech¬ 
nology  officer  and  CIO  at  Ter¬ 
ra  Lycos’  U.S.  headquar¬ 
ters  in  Waltham,  Mass. 

The  attacks  aren’t  the 
traffic-clogging  distrib¬ 
uted  denial-of-service 
(DDOS)  attacks  that 
used  remote-controlled 
servers  to  flood  Amazon,  Ya¬ 
hoo,  eBay  and  others  with  de¬ 
bilitating  levels  of  traffic  in 
early  2000. 

Oldie  but  Baddie 

The  DOS  attacks  Wright 
sees  are  much  older  than  that. 
They’re  called  syn  flood,  a  type 
of  attack  that  has  been  around 
as  long  as  TCP.  Syn  floods  fake 


What  Can 
You  Do? 

Syn  flood  remedies: 

■  Shorten  how  long  a  server  will 
wait  before  timing  out. _ 

«  Block  traffic  coming  from  the 
spoofed  IP  address. _ 

m  Use  egress  filtering  ( mvw. inci¬ 
dents.  org/protect/egress.html )  to 
prevent  your  network  from  being 
used  as  a  spoofed  IP  address. 

DRDOS  remedies: 

a  At  the  time  of  the  fiood,  ask 
your  upstream  service  provider  to 
"null  route”  packets  coming  at  the 
IP.  Unfortunately,  this  means 
dropping  all  packets  coming  into 
that  IP  address,  which  still  results 
in  a  denial  of  service. _ 

b  Use  traffic  pattern  analysis 
and  network  sniffers  to  help  de¬ 
tect  these  attacks  faster. 


the  initial  connection  synchro¬ 
nization  (syn)  requests.  The 
target  responds  with  an  ac¬ 
knowledgement  (ack),  for 
which  it  will  receive  no  re¬ 
sponse.  The  target  server  holds 
the  session  open  for  a  given 
length  of  time  and  then  times 
out.  A  high-volume  succession 
of  these  fake  sessions  prevents 
the  machine  from  opening  le¬ 
gitimate  connections. 

There’s  really  no  protection 
against  syn  floods,  because 
they  take  advantage  of  the  in¬ 
herent  purpose  of  routing  pro¬ 
tocols  —  to  route  TCP 
session  connection  re¬ 
quests.  “The  worst  kind 
of  attacks  are  where  the 
protocol  says  it’s  nor¬ 
mal,”  Wright  explains. 

Now,  syn  floods  are  getting 
a  whole  lot  nastier.  A  new 
form  of  syn,  called  a  distrib¬ 
uted  reflection  denial-of- 
service  (DRDOS)  attack, 
knocked  Laguna  Hills,  Calif.- 
based  Gibson  Research  Corp. 
(GRC)  off  the  Web  for  four 
hours  in  January. 

A  DRDOS  attack  is  the  in¬ 
verse  of  a  syn  flood,  says  Steve 
Gibson,  president  of  GRC. 
Gibson  coined  the  term  for 
the  new  attack  method  after 
his  experience  in  January. 

That’s  when  attackers 
sprayed  GRC.com’s  IP  across 
core  Internet  routers  and  con¬ 
nected  TCP  devices,  making 
them  believe  that  GRC.com 
was  trying  to  initiate  a  con¬ 
nection.  Being  the  obedient 
devices  that  they  are,  they  re¬ 
sponded  en  masse  to  GRC.- 
com  with  their  ack  replies. 
GRC.com’s  server,  knowing 
that  it  didn’t  initiate  the  TCP 
session  requests,  simply 
dropped  the  acks.  Thinking 
their  ack  requests  were  lost  in 
cyberspace,  the  devices  tried 
again  —  up  to  four  times  — 
magnifying  the  attack. 

Gibson  says  he’s  aware  of 
many  companies  that  have 
come  under  such  DRDOS  at¬ 
tacks.  “Web  hosting  sites  and 
other  major  sites  are  the  big¬ 
gest  targets,”  he  says.  “You  up- 


DEFINITION 

Denial  of  service  is  a  form  of  attack  in  which  a  network 
server  is  overloaded  by  thousands  of  false  communi¬ 
cations  and/or  requests  for  services  originating  from 
programs  in  one  or  more  outside  computers.  Ulti¬ 
mately,  the  network  receives  so  many  queries  that  it 
can’t  keep  up  with  them  and  is  thus  unavailable  to 
answer  or  service  legitimate  requests. 


The  Distributed  Reflection  DOS  Attack 


Syn  packets  carrying 
target’s  source  IP 


Spoofed  syn 
generator 
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Well-meaning  and 
innocent  servers 


Syn/ack  packets  from 
servers  responding  to 
spoofed  syn  packets 
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SOURCE:  GIBSON  RESEARCH  CORP  . 
LAGUNA  HILLS.  CALIF. 


set  some  script  kiddie  —  they 
especially  don’t  like  spammers 
—  and  they’ll  punish  some¬ 
body.” 

Filtering  doesn’t  help  be¬ 
cause  it  slows  all  traffic, 
say  Wright  and  Gibson.  In  a 
DRDOS  attack,  the  ack  pack¬ 
ets  come  from  everywhere,  so 
there’s  no  way  to  filter. 

The  only  way  to  deal  with 


such  an  attack  is  to  take  the 
target  machine  off  the  Web 
and  wait  it  out,  or  ask  your  In¬ 
ternet  service  provider  to 
“null  route”  (drop  incoming 
syn  or  ack  packets  to  the  af¬ 
fected  machine),  Gibson  ex¬ 
plains.  That  way,  the  attackers 
can’t  block  traffic  to  other  ma¬ 
chines  on  that  network  seg¬ 
ment.  But  then,  he  adds,  “the 


attacker’s  still  won.  They’ve 
shut  your  site  down.”  I 
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can  work  with  your  existing  investment,  allowing  you  to 
anywhere  in  your  network.  That  means  you  get  gentle 
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With  Avaya,  you’re  already  this  close  to  IP  Telephony. 

In  fact,  you  can  use  what's  in  your  own  network.  Now  Avaya,  the  leader  in  voice  solutions, 
has  extended  IP  Telephony  to  an  open  architecture.  So  our  feature-rich  MultiVantage m 
Software  can  work  with  your  existing  investment,  allowing  you  to  have  Enterprise  Class  IP 
Solutions  anywhere  in  your  network.  That  means  you  get  gentle  migration  and  flexible 
deployment  from  the  core  to  the  edge,  or  the  other  way  around.  Learn  how  a  network 
assessment  can  help  you  discover  how  close  you  are  to  IP  Telephony.  Visit  avaya.com/yes 
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NICHOLAS  PETRELEY 

Think  Like  a 
Terrorist 


I  was  working  from  my  home  office  a  few  years 
ago  when  my  access  to  a  Web  site  called  NC 
World  was  suddenly  cut  off.  My  service  pro¬ 
vider  told  me  that  a  router  in  Southern  Califor¬ 
nia  had  gone  down.  This  struck  me  as  odd  for 
two  reasons.  First,  I  live  in  Northern  California, 
about  a  half-hour  from  San  Francisco,  where  NC 
World  was  hosted  at  the  time.  Second,  I  was  under 
the  impression  that  one  of  the  primary  design  goals 
for  the  Internet  was  to  make  sure  that  communica¬ 
tions  would  proceed  uninterrupted  even  if  some  of 
the  primary  hubs  are  taken  out  by  a  nuclear  blast. 


I  have  no  idea  what  really  caused 
this  temporary  outage,  but  I  assume  it 
occurred  because  of  a  minor  hardware 
failure  or  administrator  error.  But  if 
Internet  communications  are  this  easi¬ 
ly  interrupted  by  accident,  I 
can’t  help  but  conclude  that  we 
are  totally  unprepared  for  the 
consequences  of  an  intelligent, 
direct  attack  by  cyberterrorists. 

Here’s  how  you  can  prevent  such  an 
attack:  Think  like  a  terrorist.  Look  at 
trends,  and  explore  every  possible  op¬ 
portunity  and  method  possible  to 
launch  an  attack  on  the  U.S.  infra¬ 
structure  and  economy.  Then  put  your 
IT  hat  back  on  and  plan  ahead  to  pre¬ 
vent  these  methods  from  working. 

Here’s  an  example.  One  inevitable 
trend  is  the  increase  in  business-to- 
business  transactions  over  the  Inter¬ 
net,  a  trend  that  will  only  be  fortified 
by  the  advancement  of  Web  services. 
Let’s  assume,  for  the  sake  of  argument, 
that  within  two  to  10  years,  most  busi- 
ness-to-business  transactions  will  take 
place  over  the  Internet.  If  I  were  a 
cyberterrorist,  I  would  plan  now  for 
the  day  when  I  could  disrupt  as  many 
of  these  business-to-business  transac¬ 
tions  as  possible.  Depending  on  how 
many  servers  I  could  bring  down  and 


for  how  long,  I  could  create  big  head¬ 
lines,  delay  or  halt  shipments,  or  per¬ 
haps  even  do  lasting  damage  to  the 
economy. 

The  obvious  method  is  to  launch  a 
distributed  denial-of-service 
attack.  That  would  get  me  the 
most  bang  for  the  buck.  I 
don’t  have  to  defeat  firewalls, 
gain  administrator  access  to  business 
computers  or  crack  any  Web  services 
to  launch  this  kind  of  attack.  All  I 
have  to  do  is  overwhelm  carefully  se¬ 
lected  servers  or  just  as  many  servers 
as  possible. 

So,  how  do  I  distribute 
the  attack  software?  Mi¬ 
crosoft’s  business  model  is 
the  most  promising.  Mi¬ 
crosoft  makes  its  money 
by  putting  its  products  in 
the  hands  of  as  many  peo¬ 
ple  as  possible,  after  which 
it  charges  everyone  in  the 
service  chain  a  nickel.  Its 
latest  plan  revolves  around 
turning  the  Xbox  game 
console  into  a  home  enter¬ 
tainment  center,  after 
which  it  can  charge  con¬ 
tent  providers  for  the  digi¬ 
tal  rights  management 


they  so  desperately  need  in  order  to 
protect  their  revenue  streams. 

Microsoft  needs  only  two  things  to 
happen  to  make  this  work:  It  must  get 
the  Xbox  into  100  million  homes  or 
more,  and  the  cost  of  broadband  ac¬ 
cess  to  the  Internet  has  to  drop  to 
within  reach  of  the  average  household. 

You  should  be  able  to  see  where  I’m 
going  with  this  by  now.  If  you  wanted 
to  launch  the  ultimate  denial-of-ser- 
vice  attack,  what  more  could  you  ask 
for  than  100  million  Xbox  units  with 
broadband  access  to  the  Internet,  all 
running  software  developed  by  the 
“crack  me”  specialists  of  the  world? 

Now,  what’s  the  cure? 

I’m  afraid  to  disappoint  those  of  you 
who  are  expecting  a  knee-jerk  anti- 
Microsoft  response,  but  nuking  the 
Xbox  wouldn’t  solve  anything.  Micro¬ 
soft  is  depending  on  getting  its  soft¬ 
ware  into  every  home  one  way  or  an¬ 
other,  so  the  best  answer  is  to  prepare 
for  that  day. 

For  one  thing,  I  would  pressure 
everyone  necessary  to  standardize  and 
implement  quality-of-service  (QOS) 
protocols.  Demand  that  your  ISP  sup¬ 
port  QOS.  Implement  QOS  as  part  of 
your  plans  for  Web  services.  Most  im¬ 
portant,  pressure  vendors  to  imple¬ 
ment  QOS  in  hardware  whenever  pos¬ 
sible,  especially  for  high- 
volume  consumer  devices 
like  game  machines,  cell 
phones  or  anything  else 
that  can  connect  to  the  In¬ 
ternet.  If  the  hardware 
wraps  every  packet  in  a 
low-priority  envelope,  no¬ 
body  can  trick  an  Xbox  or 
any  other  consumer  device 
into  generating  data  that 
takes  precedence  over  the 
information  that  runs  our 
country. 

This  is  only  one  example 
and  one  possible  solution. 
How  many  can  you  think 
of?  I 


OPINION 


NICHOLAS  PETRELEY  is  a 

computer  consultant  and 
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S8700  Media  Server 

At  the  core. 


IP  Telephony . 
Where  to  start? 

With  Avaya  Enterprise  Class 
IP  Solutions  (ECUPS) 
featuring  MultiVantage “ 
Software,  start  anywhere 
in  your  network. 


1 

1 

1 


•  Delivers  up  to  99.999% 


reliability 

•  Scalable  from  20  to 
1  million  users 


1 


At  the  edge. 

•  Survivable  remote  location 

•  Standards-based  distributed 
architecture 

•  Cost-effective  option 


From  IP  Phones  to  Pocket  PCs 

With  a  specific  workgroup. 

•  First  to  seamlessly  extend 
applications  to  cellular 

•  Takes  applications  to  remote 
and  mobile  workers  for 
greater  productivity 


Learn  how  a  network  assessment  can 
help  you  discover  how  close  you  are 
to  IP  Telephony.  Visit  avaya.com/yes 
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A  few  short  years  ago,  the 
mention  of  virtual  private  networks 
would  send  network  and  security  admin¬ 
istrators  running  for  cover.  VPNs  were 
*  p  |  n  *2$  too  difficult  to  deploy 

correctly,  the  technol- 
DCpflpT  ^  ogy  wasn’t  mature, 
and  the  return  on  in¬ 
vestment  was  negligible.  Now,  what  a 
difference.  Today,  VPNs  are  well  accept¬ 
ed,  and  indeed,  many  companies  view 
them  as  a  necessity  for  both  security 
and  cost  reasons. 


What’s  a  VPN? 


A  virtual  private  network 
(VPN)  is  a  network  con¬ 
nection  that  has  the  ap¬ 
pearance  and  many  of 
the  advantages  of  a  ded¬ 
icated  link  but  is  in  fact  implemented 
over  a  shared  network.  Using  a  tech¬ 
nique  called  tunneling,  data  packets  are 
transmitted  across  a  public  routed  net¬ 
work  such  as  the  Internet.  Generally, 
the  private  network  data  and  protocol 
information  are  carried  inside  a  wrap¬ 
per  so  that  along  the  way,  they  look  like 
data  to  the  routers,  which  remain  un¬ 


aware  that  the  transmission  is  part  of  a 
private  network.  Only  when  the  trans¬ 
mission  reaches  its  destination  is  it  un¬ 
wrapped  and  sent  to  its  intended  recip¬ 
ient.  This  private  “tunnel”  simulates  a 
point-to-point  connection,  and  it  al¬ 
lows  network  traffic  from  many 
sources  to  travel  via  separate  tunnels 
across  the  same  infrastructure. 

Tunneling  allows  network  protocols 
to  traverse  incompatible  infrastruc¬ 
tures.  It  also  enables  traffic  from  many 
sources  to  be  differentiated  so  that  it 
can  be  directed  to  specific  destinations 


and  receive  specific  levels  of  service. 

Tunneling  can  be  initiated  by  a  vari¬ 
ety  of  network  devices  and  software, 
such  as  an  end  user’s  laptop  equipped 
with  an  analog  PC  modem  card  and 
VPN-enabled  dial-up  software.  (Basic 
tunneling  and  security  capabilities 
have  been  bundled  into  Windows 
since  the  release  of  Windows  95.) 

Tunnels  can  also  be  started  by  a 
VPN-enabled  extranet  router  on  an  en¬ 
terprise  branch  or  home  office  LAN,  or 
by  a  VPN-enabled  access  concentrator 
at  a  network  service  provider’s  point 
of  presence.  A  tunnel  is  ended  by  a 
tunnel  terminator  or  switch  on  an  en¬ 
terprise  network,  or  by  a  VPN  gateway 
on  a  network  service  provider’s  net¬ 
work  extranet  router. 

In  addition,  there  are  usually  one 
or  more  security  servers.  Along  with 
their  conventional  functions  as  fire¬ 
walls  and  address  translators,  VPNs 
can  provide  for  data  encryption,  au¬ 
thentication  and  authorization.  Tun¬ 
neling  devices  perform  these  functions 
by  communicating  with  security  serv¬ 
ers.  Such  servers  also  usually  provide 
information  on  bandwidth,  tunnel  end 
points  and,  in  some  cases,  network 
policy  information  and  service  levels.  I 


Remote  offices  use  a  site-to-site  VPN  as  an  alternative 
to  leased  lines  and  frame  relay.  Internet  access,  includ¬ 
ing  Digital  Subscriber  Line  and  cable  modem  broadband 
connections,  is  significantly  less  expensive  than  private 
lines.  IPsec-enabled  routers  allow  small  branch  offices 
to  form  a  secured  wide-area  network  with  the  corporate 
office.  The  corporate  VPN  gateway  must  be  capable  of 
remotely  managing  these  branches. 


QUICK 
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VPNs  for  Remote- 

Office  Security  Corporate  site 

VPN  gateway 


Remote  site 


VPN/firewall  Remote  site 


The  Battle  for  Mainstream  Acceptance 


H  Providing  secure  remote  access  and 
telecommunications  over  the  Internet 
to  remote  workers  is  a  fact  of  life  in 
modern  business,  and  virtual  private 
networking  is  the  primary  technology 
making  that  possible.  IT  managers  have  had  trouble 
adopting  VPNs  because  of  deployment  issues,  com¬ 
patibility  and  interoperability  problems  and  the  ex¬ 
pense  of  these  systems. 

That  has  changed.  VPNs  are  entering  the  main- 
srream,  and  many  companies  view  them  as  a  tele¬ 
communications  necessity  from  both  security  and 
cost  perspectives.  In  fact,  Framingham,  Mass.-based 
IDC’s  “2001  WAN  Manager  Survey,”  published  in 
December,  concluded  that  IP  VPNs  are  now  a  main¬ 
stream  wide-area  network  option  for  most  businesses. 
And  browser-based  Secure  Sockets  Layer  VPNs  are 


growing  in  popularity  because  they  require  little  or 
no  additional  software  or  firewall  reconfiguration. 

“The  trend  has  been  to  create  VPNs  for  remote 
access,  since  they  offer  considerable  cost  reductions 
over  toll-free  numbers  and  in-house  [remote  access 
servers],”  says  Dave  Kosiur,  a  senior  analyst  at  Bur¬ 
ton  Group  in  Midvale,  Utah. 

But  that’s  not  to  say  that  enterprise  VPNs  have  no 
rough  edges.  Depending  on  the  type  of  technology 
and  products  selected,  VPNs  can  still  cause  head¬ 
aches  and  force  companies  to  outsource  deployment 
and  management  to  service  providers. 

Increasingly,  the  VPN  and  firewall  markets  have 
been  merging,  as  hardware-based  implementations 
have  continued  to  dominate.  But  interoperability 
between  products  from  different  vendors  remains 
one  of  the  VPN  market’s  biggest  challenges.  It’s  also 


a  challenge  for  large  enterprises  that  may  want  or 
need  to  use  different  hardware  and  operating  sys¬ 
tems  in  different  locations. 

“The  outlook  for  interoperable  devices  and  soft¬ 
ware  is  improving,  although  it’s  only  natural  for  ven¬ 
dors  to  try  and  lock  customers  into  only  their  prod¬ 
uct  line,”  says  Kosiur.  “There  will  always  be  value- 
added  features  in  different  vendors’  products  that 
will  inhibit  100%  interoperability.” 

Interoperability  problems  are  “preventing  the  VPN 
market  from  meeting  its  potential,”  says  Leo  Pluswick, 
technology  program  manager 
at  ICSA  Labs,  a  testing  clear¬ 
inghouse  for  VPN  and  firewall 
technologies  in  Mechanics- 
burg,  Pa.  “Each  vendor  devel¬ 
ops  to  target  a  particular  busi¬ 
ness  problem.  Large-scale,  in¬ 
teroperable  deployments  are  a 
goal,  not  a  reality  yet.”  & 


ANSWERS  ONUNE 

Links  to  VPN  resources: 

QuickLink:  31049 

A  list  of  VPN  vendors: 

QuickLink:  31048 

Q&A  with  analyst  Dave  Kosiur: 

O  QuickLink:  31040 
computerworld.com 
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A  Crowded,  Confused  Market 


Dedicated  VPN  hardware  revenues 
totaled  $1.3  billion  in  2001  and  are  fore¬ 
cast  to  reach  $2.9  billion  in  2005,  ac¬ 
cording  to  a  study  published  in  Febru¬ 
ary  by  Infonetics  Research  in  San  Jose. 

End  users  of  all  types  and  sizes  are 
also  buying  managed  VPN  and  security 
services,  representing  a 
lucrative  opportunity  for 
all  types  of  service  pro¬ 
viders,  according  to  Info¬ 
netics.  But  the  market  is  crowded,  and 
it  can  be  confusing.  Some  service  pro¬ 
viders  offer  only  security,  some  offer 
only  VPNs,  and  some  offer  both.  Some 
vendors  simply  deploy  and  manage  se¬ 
curity  and  VPN  devices;  others  actively 
monitor  the  network  and  provide  the 
customer  with  an  analysis  of  potential 


security  gaps.  There  are  also  providers 
that  offer  services  based  on  the  equip¬ 
ment  customers  have  in-house,  vs. 
those  that  have  network-based  services 
or  a  blend  of  services  on  customer 
equipment  and  network-based  services. 

There  are  other  barriers  that  the  mar¬ 
ket  must  overcome.  Many 
buyers  are  overwhelmed 
by  the  multitude  of  prod¬ 
ucts  available  and  the 
overcrowded  service  provider  space. 

“The  market  is  real,  but  the  market 
leaders  for  products  and  services  have 
yet  to  truly  emerge,  and  2002  will  be  a 
critical  year  for  product  manufacturers 
and  service  providers  to  prove  they 
can  satisfy  customer  requirements,” 
the  Infonetics  study  concluded.  > 


COMPETITION 


Healthy  Connections 


Spectrum  Health 
Grand  Rapids,  Mich. 


WHO  THEY  ARE:  A  large,  regional  integrat¬ 
ed  health  care  system  serving  13  western 
Michigan  counties  and  1.38  million  people. 


GOAL:  To  meet  the  new  security  require¬ 
ments  called  for  by  the  Health  Insurance 
Portability  and  Accountability  Act 
and  to  manage  5,000  independent 
(nonemployee)  users. 


CHALLENGES:  Spectrum  has  more 
than  60  locations  in  13  counties,  in¬ 
cluding  seven  hospitals.  The  network  has 
to  serve  12,000  employees  and  more  than 
1,000  independent  physician’s  offices. 

Thus,  minimizing  risk  was  one  of  the  prima¬ 
ry  concerns,  says  Jim  Toth,  director  of  tech¬ 
nology  services. 

“While  we  could  cobble  together  some 
[homegrown]  solutions,  we  were  constantly 
running  into  challenges  in  encryption,  tun¬ 
neling  and  protection  of  our  protected  net¬ 
work  zone,”  says  Toth.  Without  a  VPN,  Toth 
would  have  had  to  open  up  50  ports  into 


CASE 

STUDY 


his  network’s  protected  zone,  which  would 
have  been  a  very  insecure  approach. 

STRATEGY:  Toth  chose  technology  from 
AppGate  Inc.  in  Durham,  N.C.,  that  estab¬ 
lished  a  link  between  terminal  emulation 
software  and  the  client  PCs.  The  AppGate 
product,  based  on  the  Secure  Shell  proto¬ 
col  rather  than  IPsec  or  Secure  Sockets 
Layer,  provides  a  tunnel  at  the 
application  layer,  not  just  the 
network  layer,  and  includes  128- 
bit  encryption. 

“Automatically,  we  have  a  se¬ 
cure  tunnel  at  the  application  layer 
where  I  wanted  to  have  it,”  says  Toth.  “We 
really  limit  our  points  of  access.” 

ISSUES:  Even  with  assistance  from  ven¬ 
dors  and  service  providers,  Toth  acknowl¬ 
edges  that  VPNs  can  be  “fairly  complex” 
systems  to  set  up. 

PAYOFF:  "This  was  really  a  functional 
issue,”  says  Toth.  “It’s  not  so  much  about 
saving  money.  I  don’t  think  I  could  have 
offered  a  solution  without  a  VPN.” 


| 


Outsourcing  Can  Help 

The  growth  of  e-business  and  the 
ever-increasing  integration  between 
corporations  and  their  suppliers 
and  trading  partners  has  put  a  premi¬ 
um  on  security,  user  authentication 
and  data  integrity.  In  addition,  recent  economic  pres¬ 
sures  have  forced  many  companies  to  reassess  their 
telecommunications  strategies  with  an  eye  not  just  to¬ 
ward  security,  but  toward  cost  and  performance  as  well. 

Users  are  turning  to  VPNs  as  an  answer  to  all  of 
these  challenges.  In  addition  to  providing  increased 
security,  in  some  cases  VPNs  have  reduced  telecom¬ 
munications  management  costs  and  improved  per¬ 
formance.  However,  deploying  a  VPN  isn’t  like  de¬ 
ploying  a  few  new  desktop  PCs.  There  are  still  many 
technical  challenges  to  work  out  and  much  research 
to  do  before  you  choose  any  one  VPN  product  or 
architecture,  say  users. 

“We  were  worried  about  the  technological  risk 
associated  with  the  changing  technology,”  says  Ed 
Flynn,  CIO  at  FMC  Corp.,  a  Philadelphia-based  man¬ 
ufacturing  company  with  90  locations  worldwide. 
FMC  started  the  move  toward  a  VPN  in  early  2000 
as  a  means  to  provide  what  Flynn  calls  “secure  any¬ 
body,  anywhere  access”  for  more  than  1,000  employ¬ 
ees.  However,  the  growth  of  business-to-business 
trading  also  increased  concerns  about  having  to 


touch  customer  systems,  says  Flynn,  “and  we  didn’t 
want  to  do  that  at  all.” 

After  researching  its  options,  FMC  chose  Seattle- 
based  Aventail  Corp.  for  its  VPN  and  remote  access 
requirements.  It  came  down  to  the  technology  and 
flexibility,  says  Flynn.  The  Aventail  service  allows 
FMC  to  control  employee  access  rights  and  also  uses 
a  noninvasive  agent  that  leaves  the  client  IP  stack 
alone,  thereby  meeting  FMC’s  requirement  to  not 
touch  customer  systems. 

“We  vetted  who  we  went  with  very  well,”  says 
Flynn,  “so  we’re  not  limited  by  the  technology  choice.” 
And  since  FMC  “had  no  idea  how  to  deploy  what 
they  needed  on  their  own,”  handing  over  these  com¬ 
plex  technologies  to  a  company  with  the  know-how 
minimized  the  risk,  he  explains. 

Kelly  Henderson,  chief  operating  officer  at  Auto- 
Web  Communications  Inc.  in  Oak  Park,  Mich.,  agrees 
with  the  idea  of  having  someone  else 
do  the  VPN  work.  Auto  Web,  which 
does  business  through  a  VPN  managed 
by  Southfield,  Mich.-based  ANXebusi- 
ness  Corp.,  was  faced  with  figuring  out 
a  tunnel  management  process  for  each 
of  its  600  trading  partners,  including 
nine  of  the  world’s  largest  automotive 
manufacturers. 

“Most  companies  aren’t  in  the  busi¬ 
ness  of  managing  telecommunica¬ 
tions,”  says  Henderson.  “It’s  not  their 


core  business.”  And  VPN  tunnel  management  on 
AutoWeb’s  scale  “can  get  involved”  and  “can  be  a 
significant  investment  for  companies,”  she  says. 

“There’s  expertise  that  we  didn’t  have  but  that  we 
needed  to  have  to  handle  that  type  of  process,”  says 
Henderson.  “The  cost  is  well  worth  it  to  us  because 
of  the  type  of  business  we’re  in.  But  you  need  to 
identify  where  the  real  pain  points  are  and  whether 
a  VPN  is  going  to  address  those  pain  points.” 

Joe  Klein,  director  of  telecommunications  at  Illi¬ 
nois  Tool  Works  Inc.  (ITW)  in  Glenview,  Ill.,  says 
deploying  a  VPN  hasn’t  been  painful;  in  fact,  he  says 
it’s  been  a  pleasant,  cost-effective  change  from  tradi¬ 
tional  telecommunications  methods. 

ITW  deployed  a  VPN  from  OpenReach  Inc.  in 
Woburn,  Mass.,  to  replace  frame-relay  networks 
connecting  up  to  70  business  units.  VPN  tunnels  are 
supporting  human  resources,  financial  and  e-mail 
applications  between  remote  sites  and 
ITW’s  headquarters,  as  well  as  100  re¬ 
mote  dial-in  users. 

“Users  have  to  realize  that  with  aP 
good  things,  it  takes  some  time  to  ac¬ 
commodate  change  and  get  used  to  tin- 
product,”  says  Klein,  noting  that  I 
made  use  of  the  OpenReach  in  TV 
tion  team  to  get  the  VPN  up  and  ■  1 
ning.  However,  so  far  the  VPN  c 
helped  Klein  cut  costs  by  301  . 

he  says.  I 
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You  need 
to  identify 
where  the  real 
pain  points  are 
and  whether  a 
VPN  is  going  to 
address  [them]. 

-  KELLY  HENDERSON. 
COO,  AUTOWEB 
COMMUNICATIONS 
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Guardians  of 
The  Gate 


What  you  need  to  know  to  land  a  job 
and  keqa  your  skills  fresh  in  the  IT 
security  held.  By  Amy  Helen  Johnson 


Employee  Spotlight 


Name:  JONATHAN  TAYLOR 

Title:  Enterprise  security  engineer 
Company:  Sutter  Health,  Sacramento,  Calif., 
a  nonprofit  services  organization  for  25  affili¬ 
ate  hospitals  in  Northern  California 
30-second  r6sum6:  Taylor  has  worked  in 
IT  since  1994.  After  graduating  from 
Brigham  Young  University  in  Provo, 

Utah,  he  joined  a  value-added  re¬ 
seller.  While  moonlighting  as  a  Windows  NT 
Server  instructor  at  MTI  College  of  Business 
and  Technology  in  Sacramento,  a  fellow 
teacher  told  him  about  an  opening  at  Sutter 
Health.  He  joined  the  company  in  1997,  first 
working  on  a  project  to  roll  out  a  Windows 
NT  platform  throughout  the  company’s  health 
care  affiliates.  Taylor  switched  to  IT  security 
in  early  2000. 

Skills  boost:  On-the-job  training  is  the  best 
way  to  learn,  says  Taylor.  "There’s  very  little 
training  for  information  security,”  he  says. 
“And  even  if  there  was,  it’s  such  a  vast  field 
that  it  would  be  difficult  to  get  what  you  need 
for  your  particular  industry  or  job." 


Still,  Taylor  has  found  some  courses  that 
help  him  keep  current.  His  most  recent  train¬ 
ing  came  from  Foundstone  Inc.,  a  security 
services  firm  in  Mission  Viejo,  Calif.  At  its  Web 
hacking  course,  he  learned  about  common 
Web  site  vulnerabilities  that  hackers  exploit  - 
vulnerabilities  that  existed  within 
Sutter  Health’s  public  site. 

“It  was  a  great  big  eye-opener,” 

he  says. 

Other  resources  that  Taylor  uses  to  learn 
about  potential  security  risks  are  newsgroups 
and  Web  sites  devoted  to  IT  security.  He  says 
there’s  a  helpful  bug  list  on  the  Web  site  of 
San  Mateo,  Calif.-based  SecurityFocus. 

Taylor  says  the  mechanics  of  his  job 
haven’t  changed  since  the  events  of  Sept.  11; 
what’s  different  is  the  interest  that  company 
executives  now  have  in  security.  “When  we 
would  see  patterns  of  risk  before  9/11,  people 
were  apt  to  dismiss  it,”  says  Taylor.  “Now 
when  we  say  we  have  a  concern,  people’s 
eyes  go  wide  open.” 

-  Johnson  is  a  contributing  writer  in  Seattle. 


CAREERS 


Is  It  Hot? 

MARKET:  Employers  are  imple¬ 
menting  two  types  of  security 
programs,  says  Thomas  Woods, 
a  principal  at  recruiter  Magee 
Resource  Group  in  Shreveport, 
La.  One  is  information  protection 
-  who  can  view  what  kinds  of 
data.  The  other  is  data  security  - 
protection  against  break-ins, 
viruses  and  the  like.  Information 
protection  specialists  need  expe¬ 
rience  in  the  business  and  legal 
issues  around  data.  For  data  se¬ 
curity  positions,  an  auditing  or 
forensics  background  is  a  bonus. 

DEMAND:  Now  that  random 
viruses  threaten  every  computer 
network,  many  businesses  are 
creating  security  departments, 
says  Woods. 


Best  Place 


■  A  financial  services  company  focused  on 
business  and  private  banking  and  investment 
services. 


■  Ranked  No.  9  on 
Computerworld’ s 
2002  Best  Places  to 
Work  in  IT  list. 


Comerica  Inc. 

Detroit 

www.comerica.com 


■  2001  revenue:  $4.2  billion 


■  Number  of  IT  workers:  800;  19  in  IT 
security 

MANAGER’S  VIEW:  Comerica  doubled  the 
size  of  its  IT  security  team  during  the  past  18 
months,  says  Ken  Schaeffler,  first  vice  presi¬ 
dent.  The  bank  switched  from  an  IT  infrastruc¬ 
ture  that  supported  only  employees  to  one  that 
provided  online  services  to  its  customers. 

Security  concerns  changed  from  an  empha¬ 
sis  on  access  -  IDs  and  passwords  -  to  elimi¬ 
nating  the  vulnerabilities  associated  with  Inter- 
net-based  applications,  he  says.  Specialty  de¬ 
partments  for  security  administration,  security 
architecture,  risk  management,  regulations 
monitoring,  and  policies  and  procedures  han¬ 
dle  the  bank's  increased  security  needs. 

The  bank  encourages  IT  security  employees 
to  get  CISSP  certification  and  will  pay  for  the 
coursework  and  testing.  More  than  60%  of  the 
security  staff  is  certified,  says  Schaeffler. 

Training  opportunities  are  well  funded  and 
popular  with  employees  and  are  considered  a 
key  retention  tool,  he  adds. 


STOP  HACK  ATTACKS 

One  security  engineer  offers  his  tips  for  staying  a 
step  ahead  of  the  hacker  community. 

OQuickLink:  30925 

www.computerworld.com 


Skills 

■  Keeping  unauthorized  people  out  of 
systems  is  the  primary  task  for  a  securi¬ 
ty  professional,  so  become  skilled  at 
performing  risk  assessments  and  work¬ 
ing  with  firewalls,  access  controls,  au¬ 
thentication  software,  digital  certifi¬ 
cates,  network  management  security 
tools  and  intrusion-detection  systems. 

■  Networking  fundamentals  are  a  must, 
so  brush  up  on  TCP/IP.  Count  on  em¬ 
ployers  asking  about  your  experience 
with  Cisco  Systems  Inc.  products.  They 
will  also  expect  you  to  know  how  to  ad¬ 
minister  common  server  operating  sys¬ 
tems  such  as  Solaris,  Windows  NT  and 
2000,  and  Linux. 

■  Bonus  tip:  If  you  have  been  through 
the  firestorm  of  a  disaster  recovery  ef¬ 
fort  or  have  designed  and  implemented 
a  security  system,  you’ll  be  in  demand. 

Training 

■  Certifications:  The  Certified  Infor¬ 
mation  Systems  Security  Professional 
(CISSP)  certification  is  administered  by 
the  Dunedin,  Fla.-based  arm  of  the  In¬ 
ternational  Information  Systems  Securi¬ 
ty  Certification  Consortium  Inc.  It  runs 
five-day  boot  camps  to  prepare  people 
for  the  CISSP  test. 

■  Bonus  pay?  Not  likely;  the  payback 
for  certification  is  more  often  a  job 
rather  than  a  salary  boost.  Some  em¬ 
ployers  list  "certification  strongly  pre¬ 
ferred”  in  job  postings;  others  require 
one  or  more  certifications.  Without 
them,  your  resume  could  be  tossed. 

Salaries 

There  are  security  job  openings  all  over, 
including  one  for  a  manager  of  security 
and  disaster  recovery  with  a  five-  to  sev¬ 
en-year  track  record,  a  CISSP  certifica¬ 
tion,  and  experience  with  virtual  private 
networks,  encryption  and  intrusion- 
detection  software.  Location:  Augusta, 
Ga.  Salary:  Up  to  $75,000 

■  A  financial  services  firm  seeks  a  data 
security  administrator  with  systems  ad¬ 
ministration,  firewall,  intrusion-detection 
and  programming  skills.  Location: 
Dallas  Salary:  Up  to  $70,000 

■  Hot  industry:  With  the  federal  gov¬ 
ernment  beginning  well-funded  cyber¬ 
security  projects,  the  job  market  in  the 
government  sector  is  hot,  particularly  in 
the  Washington  area. 

SOURCES:  NICK  DOTY.  EDITORIAL  DIRECTOR  AT 
TECHIES.COM  INC,  IN  MINNEAPOLIS;  THOMAS 
WOODS.  PRINCIPAL  AT  MAGEE  RESOURCE  GROUP 
IN  SHREVEPORT.  LA.;  JULIE  LARSON.  VICE  PRESI¬ 
DENT  OF  INFORMATION  SECURITY.  RISK  ASSESS¬ 
MENT,  AWARENESS  AND  COMPLIANCE  AT 
COMERICA  INC  IN  DETROIT. 
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The  Next 
Chapter 

Pundits  predict  the  rise  of ‘security 
malpractice’  lawsuits  and  federal 
security  audits  but  foresee  sluggish 
growth  for  smart  cards. 


■  UNCLE  SAM  WILL  AUDIT  YOU 

The  U.S.  government  will  create  a  cyber 
equivalent  of  the  Transportation  Secu¬ 
rity  Administration  (TSA).  Just  as  the 
TSA  is  charged  with  elevating  the  cur¬ 
rent  level  of  transportation  security 
nationwide  in  all  modes  —  air,  land, 
water  and  rail  —  so,  too,  will  the  Digi¬ 
tal  Security  Administration  be  charged 
with  elevating  the  current  level  of  digi¬ 
tal  security  being  practiced  by  com¬ 
mercial  enterprises  in  the  U.S. 

The  Digital  Security  Administration 
will  conduct  information  security  au¬ 
dits  on  the  code  of  the  top  20  enter¬ 
prise  software  vendors.  Code  not 
found  to  be  up  to  specifications  will  be 
labeled  unsafe.  Vendors  with  unsafe 
code  will  have  six  months  to  bring  the 
code  up  to  security  standards. 

The  Digital  Security  Administration 
will  also  conduct  information  security 
audits  at  all  companies  in  the  critical 
infrastructure: 

■  Financial  and  currency  markets. 

■  Domestic  and  global  lines  of  com¬ 
munication. 

■  Mass  points  of  e-sale  and  retail. 

■  Utilities. 

■  Health  care  facilities. 

Failure  to  bring  code,  data  and  net¬ 
work  management  practices  up  to 
specification  will  result  in  jail  sen¬ 
tences  for  board  members  and  senior 
executives. 

—  Thornton  A.  May,  Toffler 
Associates  Inc.,  Manchester,  Mass. 


■  NATIONAL  IT  SECURITY  COUNCIL? 

By  2010,  IT  security  will  become  the 


primary  focus  of  U.S.  national  security 
policy. 

—  Atul  Dighe,  senior  futurist,  Institute 
for  Alternative  Futures,  Alexandria,  Va. 


rn  90%  OF  THE  PROBLEM 

Through  2005, 90%  of  cyberattacks  will 
exploit  known  security  flaws  for  which 
a  patch  is  available  or  a  solution  known. 

And  through  2005,  20%  of  enter¬ 
prises  will  experience  a  serious  Inter¬ 
net  security  incident  (beyond  a  virus). 
Of  those  that  do,  the  cleanup  costs  of 
the  incidents  will  exceed  the  preven¬ 
tion  costs  by  50%. 

—  Richard  Mogull,  analyst, 
GartnerG2,  Stamford,  Conn. 


■  ON  THE  CEO  AGENDA 

IT  security  will  become  a  boardroom 
issue  in  the  next  two  years.  CEOs  will 
have  to  manage  the  risks,  just  as  they 
manage  other  sorts  of  risks.  They’ll 
depend  on  chief  security  officers  to 
provide  the  metrics  on  a  portfolio  of 
assets  and  the  risks  that  have  a  bottom- 
line  impact  —  just  like  a  chief  financial 
officer  does,  except  that  IT  risks  are 
constantly  changing. 

—  Mark  Milatovich,  director  of 
security,  Corio  Inc.,  San  Carlos,  Calif. 

■  NOT  AN  IN-HOUSE  JOB 

Security  will  be  outsourced,  as  more 
and  more  companies  realize  it’s  too 
expensive  to  do  in-house.  Just  as  com¬ 
panies  outsourced  their  software 
20  years  ago  or  their  modem  banks 
five  years  ago,  they  will  outsource 
their  network  infrastructures  tomor¬ 


row.  In  the  real  world,  every  bank  hires 
another  company  to  drive  its  money 
around  town,  and  every  building  man¬ 
ager  hires  another  firm  to  post  guards 
in  its  lobby.  Outsourced  network  secu¬ 
rity  will  become  as  commonplace  as 
outsourced  phone  services  are  today. 

—  Bruce  Schneier,  founder  and 
chief  technology  officer,  Counterpane 
Internet  Security  Inc.,  Cupertino,  Calif. 


■  THE  BIOMETRIC  NICHE 

Stronger  authentication  will  supplement 
simple  password  approaches  in  the  next 
few  years,  but  infrastructure  limita¬ 
tions  will  impede  smart  card  adoption 
until  2003,  and  biometrics  will  remain 
niche  through  2005. 

—  Earl  Perkins,  analyst, 
Meta  Group  Inc.,  Stamford,  Conn. 


■  SMART  CARDS:  SLOW  GROWTH 

Significant  smart  card  growth  still 
faces  several  hurdles.  Issuers  are  hesi¬ 
tant  to  commit  to  smart  cards  until 
the  cost  of  the  chip  card  comes  down. 
Merchants  won’t  spend  the  money  to 
upgrade  equipment  to  accept  cards 
because  they  don’t  see  consumer  de¬ 
mand.  And  consumers  don’t  yet  see 
why  they  need  a  chip  card  —  no  one 
has  come  up  with  the  right  combina¬ 
tion  of  chip-based  applications  to  in¬ 
trigue  them  enough  to  switch. 

—  Catherine  Graeber,  analyst,  For¬ 
rester  Research  Inc.,  Cambridge,  Mass. 


M  MALPRACTICE  LITIGATION 

What  do  you  tell  the  CEO  when  a 
forensic  audit  of  your  public  relations 
disaster  says  it  could  have  been  pre¬ 
vented  by  a  vendor  fix  that  had  been 
available  for  eight  months  but  was 
never  applied? 


Food  for 
Thought 

A  technology  timeline  from 
British  futurists  forecasts  a 
world  of  cyberwarfare. 

2005:  Crime  and  terrorism  are 
mainly  computer-based. 

2005:  Use  of  quantum  crypt¬ 
ography  is  in  effect. 

2006:  Public-key  cryptography 
is  cracked  within  a  few  seconds. 

2007:  First  Internet  war  be¬ 
tween  cybercommunities  begins. 

2008:  Robotic  security  and 
fire  guards  are  implemented. 

2010:  Most  weapons  attack 
systems  rather  than  injure  people. 

SOURCE:  "TECHNOLOGY  TIMELINE." 

FROM  FUTURISTS  AT  BTEXACT 
TECHNOLOGIES.  A  DIVISION  OF 
BRITISH  TELECOMMUNICATIONS  PLC. 
IPSWICH.  ENGLAND.  NOVEMBER  2001 


Ineffective  application  of  hardware 
and  software  security  fixes  is  career- 
threatening.  Chief  security  officers 
who  fail  to  get  their  arms  around  con¬ 
figuration  and  change  management 
will  exceed  the  CIO  turnover  rate  of 
38%  by  2003. 

This  is  what  breeds  those  “left  to  seek 
other  opportunities”  memos  and  will 
produce  a  lot  of  security  malpractice 
litigation  in  the  next  two  to  Five  years. 

—  Phil  Rosch,  analyst,  Giga  Informa¬ 
tion  Group  Inc.,  Cambridge,  Mass. 


Touchy  Subject 


A  biometric  gadget  the  size  of  a  car  alarm 
remote  control  could  not  only  unlock  cars 
and  homes  but  also  validate  credit  card 
transactions  on  the  fly,  according  to  Cross 
Match  Technologies  Inc.  in  Palm  Beach 
Gardens,  Fla. 

A  working  model  of  the  Authorizer,  as  it’s 
called,  is  still  two  and  a  half  years  away.  The  com¬ 
pany  hopes  to  lower  the  price  to  $50  apiece.  The 
device  will  read  the  user’s  fingerprint  and 
send  it  wirelessly  to  a  third  party  for  authorization. 

The  Authorizer  will  have  another  layer  of  security  as 
well:  It  will  be  able  to  sense  the  blood  flow  in  a  finger. 

That’s  important,  because  it  means  the  finger  must  be 
attached  to  a  living  person  (not  a  cadaver).  And  if  the  blood 
is  flowing  faster  than  normal  -  for  example,  if  the  user  is  being  held 
at  gunpoint  -  the  device  could  void  the  transaction.  -  Mitch  Betts 
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African  Americans  in  IT 


By  Jennifer  Hicks 

OIMdiversity 

.com 

The  U.S.  population  is  a  smorgasbord  of  diversity.  One 
would  think  then,  if  recollections  of  probability  theories 
from  statistics  classes  are  correct,  that  our  various 
populations  would  be  represented  in  similar  proportions 
within  the  IT  industry.  However,  such  is  not  the  case. 

African  Americans  comprised  12.3  percent  of  the  popula¬ 
tion  according  to  Census  2000,  yet  a  recent  Information 
Technology  Association  of  America  (ITAA)  study  reveals  that 
they  make  up  only  6%  of  the  IT  workforce.  (The  numbers 
are  even  worse  for  Latinos  and  First  Nations  members.) 

Renee  McClure,  national  president  of  the  Black  Data  Pro¬ 
cessing  Associates  (BDPA),  sees  things  a  bit  better  though, 
albeit  with  an  accompanying  negative:  "There  is  a  signifi¬ 
cant  number  of  African  Americans  in  IT,  [but]  not  that  many 
have  arrived  at  positions  of  power  and  decision-making." 

So  the  problem  is  two-fold.  First,  African  Americans,  as 
is  true  with  other  minorities,  are  not  proportionately 
represented  in  the  IT  industry.  Second,  those  who  are  in 
the  industry  are  not  often  in  executive  positions. 

A  2001  survey  by  ITAA,  IT  Magazine,  and  U.S.  Black 


Based  on  sales,  profits,  assets,  and  market  value,  the  fol¬ 
lowing  companies,  arranged  in  descending  order,  are  the  IT 
leaders,  according  to  Fortune  Magazine. 

IBM  _  _  Oracle  _ 

Hewlett  Packard  Gateway 


Engineer  found  that  people  entered  the  IT  field  for 
two  primary  reasons:  training  opportunities  and 
professional  development.  But  a  2001  QEV  Analytics 
report  commissioned  by  ITAA  cites  early  exposure  to 
technology  as  essential  in  helping  minority  members 
make  the  decision  to  enter  IT.  Yet,  oftentimes,  it  is 
the  early  exposure  to  IT  that  some  minority  groups 
have  missed. 

BDPA,  along  with  many  community  organizations 
such  as  Jesse  Jackson's  PUSH  Coalition  and  some 
corporate  foundations,  are  taking  steps  to  remedy 
the  situation.  Specifically,  BDPA  serves  as  an 
intermediary  between  the  information  technology 
and  African  American  communities.  More  than  40  chapters 
across  the  U.S.  offers  workshops,  career  counseling,  techno¬ 
logical  assistance,  networking  opportunities,  and  computer 
competitions  to  those  interested  in  technology  and  those 
seeking  to  advance  their  careers. 

For  seasoned  IT  professionals,  promotions  can  be  diffi¬ 
cult  unless  your  employer  provides  training  opportunities. 
Technology  changes  rapidly  and  unLess  one  has  up-to-date 
skills  and  training,  moving  up  the  corporate  ladder  can  be 
impossible.  Those  organizations  that  are  tops  in  their  field 
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Computer  Sciences  Corporation 
EMC 


Dell 


Apple  Computers 


:  Tech  Data 

Electronic  Data  Systems 
Cisco 

- 1  . . 

gasrSuin  Microsystems 
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Micron  Technology 

America  Online _ 

Unisys 
Seagate  Technologies 


Automatic  Data  Processing  _ 

Computer  Associates  Internationa 
Science  Applications  Internation 


Texas  Instruments 

. . . 


(see  sidebar)  provide  access  to  training  and  thus  "grow 
their  own"  IT  pros  are  also  more  likely  to  make  career 
advancement  possible  within  their  organizations. 

Author  bio: 

Jennifer  Hicks,  author  of  several  hundred 
articles  and  who  lives  in  the  Boston  area,  is  the 
director  of  online  content  for  IMDiversity.com 
http://www.imdiversity.com,  the  Web  site  where 
opportunities,  careers,  and  diversity  connect. 


If  you're  anxious  to  apply  your  education  to  real-life  challenges,  you'll  find  the  world's  best 
proving  ground  at  Northrop  Grumman  Corporation. 

Thanks  to  key  acquisitions  and  major  new  contracts,  Northrop  Grumman  is  now  an  $1 8-billion 
global  powerhouse  with  leadership  in  aerospace,  defense  electronics,  information  systems, 
cyberspace,  ship  building,  commercial  electronics  and  much  more. 

Join  us  and  work  on  such  advanced  projects  as  the  Joint  Surveillance  Target  Attack  Radar 
Systems  (Joint  STARS);  the  BAT  "brilliant"  anti-armor  submunition;  DDG  51  Class  Aegis  guided 
missile  destroyer;  Distributed  Mission  Training  program  for  the  Air  Force;  the  B-2  Spirit  stealth 
bomber;  the  Space-Based  Infrared  System  ballistic  missile  warning  and  tracking  system  (SBIRS) 
High;  nuclear  powered  aircraft  carriers  and  submarines;  as  well  as  many  others. 

Accelerate  your  professional  growth  through  our  career  development  programs.  Ideal  majors  are 
Computer  Science,  Engineering,  Manufacturing,  Materials  Technology,  Physics  and  Mathematics. 

We  are  currently  searching  for  individuals  with  knowledge  or  expertise  in:  •  Aerospace 
Engineering  •  Business  Administration  •  Computer  Engineering  •  Computer 
Science  •  Electrical  Engineering  •  Manufacturing  Engineering  •  Management 
Information  Systems  •  Mechanical  Engineering 


Nothing  like  the  real  world  to  show  what  you  can  do.” 


www.northropgrumman.com 


MOKTHFIOF*  GKUMMAM 
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For  opportunities  currently  available  with  Northrop  Grumman,  please  contact: 

Northrop  Grumman  Component  Technologies  -  E-mail:  mausda@mail.northgrum.com 

Source  Code:  IDG0715 

Northrop  Grumman  Electronic  Systems  - 

E-mail:  ElectronicSystems.NewGrads@northropgrumman.com,  Source  Code:  IDG0715 
Please  use  the  Source  code  above  on  the  “subject”  line  of  all  correspondence. 

Northrop  Grumman  Information  Technology 

Apply  online  at:  www.northropgrummanit.com 

Northrop  Grumman  Integrated  Systems  -  E-mail:  careers@mail.northgrum.com 

Source  Code:  IDG0715 

Northrop  Grumman  Newport  News  -  E-mail:  employment@nns.com 

Source  Code:  SWE0402,  Apply  online  at:  www.nns.com/careers/careers.htm 
Please  use  the  Source  code  above  on  the  “subject”  line  of  all  correspondence. 

Northrop  Grumman  Ship  Systems  -  E-mail:  employment@avondale.com 

Source  Code:  IDG0715,  See  us  online  at:  www.avondale.com 

Northrop  Grumman  Ship  Systems  -  E-mail:  employment@ingalls.com 

Source  Code:  IDG0715 

U.S.  Citizenship  is  required  for  most  positions.  EOE  M/F/D/V. 


CW020715N2 


Computerworld  •  Inf oWorld  •  Network  World  •  July  15,  2002 


Freddie  Mac  is  a  Fortune  500® 
company  with  an  important  public 
mission:  to  lower  the  cost  of  home 
mortgages  so  more  families  can 
own  homes.  And  we  need  your 
help.  If  you  want  to  work  for  a 
company  that  supports  inclusion, 
values  different  opinions  and 
wants  you  to  have  a  rich,  fulfilling 
life- both  inside  and  outside  the 
off  ice- find  yourself  a  new  career 
at  www.freddiemac.com.  Your  life 
isn’t  the  only  one  you’ll  change. 


Freddie 

zf  _  _ 


Special  People .  Special  Agents. 


AMERI 
FINES 

FBI  Special  Agent  Frank  Andrews 

Frank  Andrews  has  been  an  FBI  Special  Agent  for  eight  years. 

In  his  own  words ,  Special  Agent  Andrews  tells  us  what  working 
for  the  FBI  is  really  like. 


To  qualify  for  the  FBI  Special  Agent  position,  you  must  possess  a  four-year  college  degree, 
be  available  for  assignment  anywhere  in  the  Bureau's  jurisdiction,  be  between  the  ages  of 
23  and  36,  and  be  in  excellent  physical  condition. 

Special  Agents  come  from  a  broad  range  of  educational  disciplines  and  professions, 
however,  the  FBI  has  special  needs  for  candidates  with  critical  skills  among  the  following 
areas:  Computer  Science  or  U,  Engineering,  Law  Enforcement,  Foreign  Counterintelligence, 
Military  Intelligence,  Physical  Sciences,  and  Foreign  Language  (Arabic,  Chinese,  Farsi, 
Hebrew,  Hindi,  Japanese,  Korean,  Punjabi,  Russian,  Spanish,  Urdu,  and  Vietnamese). 

Professional  Support  Positions  may  also  be  available  in  the  following  areas: 

Computer  Science,  Engineering,  and  Information  Technology. 

Please  visit  our  website  and  apply  on-line  at:  www.fbijobs.com  Positions  added  daily. 

You  must  be  a  U.S.  citizen  and  consent  to  a  complete  background  investigation,  drug  test, 
and  polygraph  as  a  prerequisite  for  employment.  Only  those  candidates  determined  to  be 
best  qualified  will  be  contacted  to  proceed  in  the  selection  process.  The  FBI  is  an  equal 
opportunity  employer. 


On  his  most  rewarding  case: 

"When  working  on  fugitive  cases  you 
never  know  who  a  suspect  will  impostor.  For 
instance,  one  particular  fugitive  was  posing 
as  a  Deacon  in  a  church.  We  apprehended 
this  individual  for  writing  bad  checks  across 
the  country.  It  was  extremely  rewarding  to 
capture  a  fugitive  who  was  so  callously 
deceiving  members  of  the  church." 


On  why  others  should  consider  a 
career  at  the  FBI: 

"If  you  are  self-motivated,  adaptable 
and  seek  challenges;  if  you  are 
looking  for  a  job  that  is  diverse  and 
never  becomes  monotonous,  then 
this  is  the  career  choice  for  you." 


BDPA  Information  Technology  Thought  Leaders 


BDPA  2002 

24th  ANNUAL  NATIONAL  CONFERENCE  &  CAREER  FAIR 

“Changing  the  Culture  of  IT:  From  Access  to  Ownership” 

Disney’s  Contemporary®  Resorts,  Lake  Buena  Vista,  FL  /7b& 

AUGUST  7-11,  2002 

ROGER  BERRY 

Senior  Vice  President  and  Chief  Information  Officer  for  the  Walt  Disney  World 
Resort,  will  be  the  Keynote  Speaker  for  the  Awards  Banquet,  Saturday,  August 

10,  4 


LEADING  EDGE  SEMINAR  TRACKS: 

INFORMATION  TECHNOLOGY 
LEADERSHIP  DEVELOPMENT 
ENTREPRENEURS  &  SMALL  BUSINESS 
CAREER  DEVELOPMENT 
ACADEMIC  DEVELOPMENT 
COLLEGE  STUDENT  TRACK 
2-DAY  WORKSHOPS 


INTRODUCTION  TO  JAVA 
INTRODUCTION  TO  DB2 
IT  SENIOR  MANAGEMENT  FORUM 

(ITSMFt 

Network  with  CIOs  and  Senior  Management 
Professionals 

HIGH  SCHOOL  COMPUTER  COMPETITION 

Experience  the  excitement  as  high  school 
students  display  their  skills  and  expertise  in 
programming  and  technical  presentations. 


YOUTH  CONFERENCE 

Hands-on  training  and  workshops  in  technol¬ 
ogy,  PC  Building  Race  and  IT  Knowledge 
Quiz  Bowl 

NETWORKING  OPPORTUNITIES 

♦  DIGNITARIES  RECEPTION  & 
ROUNDTABLE 

♦  ENTREPRENEUR  SHOWCASE 

♦  COLLEGE  &  HBCU  ROUNDTABLE 

♦  TOWN  HALL  MEETING 

♦  AWARDS  BANQUET 
-sponsored  by  Walt  Disney  World 

♦  BDPA  IT  GOLF  CLASSIC 

♦  PRAYER  BREAKFAST 

CAREER  FAIR  &  TECHNOLOGY  EXPO 

Friday,  August  9  10:00am  to  6:00pm 

Saturday,  August  10  10:00am  to  4:00pm 

♦  Free  admission  with  resume 


Full  2-DAY  "Hands-on"  Seminars!! 
Tuesday,  August  6  &  Wednesday,  August  7th 
INTRODUCTION  TO  XML  PROCESSING  WITH  JAVA™ 
DB2  UDB  THE  WORKSHOP  FOR  DBAS 


BDPA  2002  24TH  ANNUAL  NATIONAL  CONFERENCE 
PHONE:  (800)  727-BDPA  FAX:  (301)  220-2185  WEBSITE:  WWW.BDPA.ORG 
6401  Golden  Triangle  Drive,  Suite  450,  Greenbelt,  MD  20770 
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The  Diversity  supplements  from 
IMDiversity.com  and  IDG  Recruitment 
Solutions  are  the  only  way  to  reach 
and  recruit  the  most  qualified  and 
diverse  IT  and  Engineering 
professionals  in  the  United  States. 


This  powerful  partnership  is  the 
answer  to  your  print  and  online 
Diversity  recruitment  needs. 


August  Diversity  Issue: 

Latino  Americans  in  IT 
Issue  date:  August  19,  2002 
Space  reservation:  August  7,  2002 
Materials  due:  August  15,  2002 
Bonus  distribution:  PICKDiversity, 
Chicago,  IL 


November  Diversity  Issue:  TBD 
Issue  dale:  November  11,  2002 
Space  reservation:  October  30,  2002 
Materials  due:  November  7,  2002 


For  more  information,  contact  Janis 
Crowley  at  800-762-2977,  ext.  7607, 

or  email  at  janis_crowley@itcareers.net. 


Recruit,  retain,  communicate  and  di 


Computerworld  •  I nf o World  -  Network  World  •  July  1  5,  2002 


RECRUIT 
WOMEN  IN 
BIOTECH 
AND  LIFE 
SCIENCES 

Produced  by  Women  in 
Technology  International 
(WITI)  and  Bio-IT  World, 
Women  in  Biotech  is  a 
special  advertising  supple¬ 
ment  written  to  address 
the  needs  of  female  Ph.D. 
Research  Life  Scientists 
and  professionals  in  R&D. 
Women  in  Biotech  will  be 
featured  in  the  September 
issue  of  Bio-IT  World, 
and  will  be  distributed  at 
the  Women  in  Biotech/WITI 
Track  at  the  BiolT  World 
Conference  in  San  Diego,  CA. 

Space  is  limited  and  avail¬ 
able  on  a  first  come  first 
served  basis  until  August 
23rd.  Call  Janis  Crowley  at 
650-312-0607  today  to 
reserve  space. 


World 

Information  Technology  for  the  Life  Sciences 


Track 

Advancing  mmm  ntnagh  TKltmbgy 


microsoft.com/careers/ 

diversity.htm 


At  Microsoft,  diversity  matters. 
Not  just  in  the  way  we  hire,  but 
in  every  facet  of  our  operation. 
Because  ultimately,  we  believe 
that  a  diverse  workforce  will 
not  only  enrich  our  performance 
and  products,  but  also  the  lives 
of  our  employees,  and  the  very 
communities  in  which  they  live 
and  work. 

For  more  information,  visit  our 
Web  site.  When  applying  for  a 
position,  please  indicate  Job 
Code  A22y6-0715  in  the 
subject  header. 

C2002  Microsoft  Corporation.  All  rights  reserved.  Microsoft  is  a 
registered  trademark  of  the  Microsoft  Corporation  m  the  United  States 
and/or  other  countries.  Microsoft  is  an  equal  opportunity  employer 
and  supports  workplace  diversity. 


Computerworld  •  July  1  5,  2002 
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IT  CAREERS 


DATABASE  SPECIALIST 

ADMINISTRATIVE  INFORMA¬ 
TION  TECHNOLOGY  SER¬ 
VICES  (AITS)  UNIVERSITY 
OF  ILLINOIS  AT  URBANA- 
CHAMPAIGN 

AITS  has  one  full-time  opening 
for  a  Database  Specialist, 
available  immediately  at  the 
Urbana-Champaign  campus 
location  of  the  University  of 
Illinois. 

The  Database  Specialist  will 
work  with  AITS  Data 
Administration  and  Systems 
Development  and  University 
ERP  and  Decision  Support 
staff  to  establish,  administer 
and  maintain  test,  development, 
QA,  CRP,  training,  regression 
test  and  production  enterprise¬ 
wide  database  environments 
for  the  SCT  Banner  ERP  appli¬ 
cation,  bolt-on  applications, 
Enterprise  Data  Warehouse 
and  data  marts  in  the  client 
/server  environment. 

We  are  looking  for  Database 
Specialists  to  plan,  install,  con¬ 
figure  and  administer  database 
software  and  maintain  data¬ 
bases/instances  in  accordance 
with  industry-standard  best 
practices,  as  well  as  provide 
performance  tuning  at  the  server 
and  application  levels;  design 
implementation  and  support  of 
procedures  integrating  Oracle 
advanced  features  into  new 
and  existing  environments, 
including  Advanced  Security, 
Log  Miner,  Data  Guard,  Virtual 
Private  Database,  Automated 
space  and  memory  manage¬ 
ment,  Oracle  Flashback, 
External  Tables  for  data  ware¬ 
housing  etc.  Defined  duties 
include:  primary  support  of 
Oracle  and  secondary  support 
of  Sybase  database  manage¬ 
ment  systems;  physical  data 
modeling  for  the  Enterprise 
Data  Warehouse  using  Erwin; 
performance  analysis  and  tuning 
of  ERP  applications,  Business 
Objects  universes  and  reports 
in  both  ERP  and  DS  environ¬ 
ments  and  ad-hoc  queries  in 
EDW  and  data  marts  and 
administration  and  support  of 
the  Informatica  ETL.  suite. 
Additional  responsibilities  include 
defining,  implementing,  and 
monitoring  environments  and 
configurations,  database  require¬ 
ments  analysis,  security  man¬ 
agement,  design  and  imple¬ 
mentation  of  back-up/recovery 
and  disaster  recovery  using 
RMAN  &  EMC  Timefinder 
strategies,  implementation  and 
support  of  the  Appworx  sched¬ 
uling  tool,  deploying  Oracle 
Enterprise  Manager  (OEM)  as 
an  enterprise-wide  monitoring 
tool,  implementation  of  central¬ 
ized  name  resolution  strategies 
using  LDAP,  development  of 
Perl  &  PL/SQL  scripts  to 
proceduralize  database  adminis¬ 
tration  task  and  troubleshooting 
of  production  issues  as  they 
occur.  Unix  is  used  for  database 
requirements  analysis  and  cre¬ 
ation  of  scripts  for  execution  of 
system  application  functions. 

Bachelor's  in  Computer  Science 
or  Electrical  Engineering,  two 
years  experience  in  job  offered 
or  as  a  database  analyst  is 
required.  Must  have  Oracle 
DBA  Certification. 

The  University  of  Illinois  offers 
a  full  benefits  package  that 
includes  health  care,  dental 
care,  life  insurance,  24  vacation 
days  a  year,  tuition  wavers  and 
other  benefits. 

To  apply  for  this  position, 
please  submit  a  letter  of  appli¬ 
cation  specifying  position  title, 
a  resume,  and  the  names  and 
telephone  numbers  of  three 
references  who  can  verify  your 
ability  to  carry  out  the  duties 
described  above  to: 

Administrative  Information 
Technology  Services 
50  Gerty  Drive,  MC/673 
Champaign,  IL  61820 

Email:  aitshr@uillinois.edu 

The  University  of  Illinois  is  an 
Equal  Opportunity  /  Affirmative 
Action  employer  committed  to 
excellence  through  diversity. 


DATABASE  SPECIALIST 

ADMINISTRATIVE  INFORMA¬ 
TION  TECHNOLOGY  SER¬ 
VICES  (AITS)  UNIVERSITY 
OF  ILLINOIS  AT  URBANA- 
CHAMPAIGN 

AITS  has  one  full-time  opening 
for  a  Database  Specialist, 
available  immediately  at  the 
Urbana-Champaign  campus 
location  of  the  University  of 
Illinois. 

The  Database  Specialist  will 
work  with  AITS  Data 
Administration  and  Systems 
Development  and  University 
ERP  and  Decision  Support 
staff  to  establish,  administer, 
and  maintain  test,  development, 
QA,  CRP,  training,  regression 
test  and  production  enterprise¬ 
wide  database  environments 
for  the  SCT  Banner  ERP  appli¬ 
cation,  bolt-on  applications, 
Enterprise  Data  Warehouse 
and  data  marts  in  the  client 
/server  environment. 

We  are  looking  for  a  Database 
Specialist  to  plan,  install,  con¬ 
figure  and  administer  database 
software  and  maintain  databases 
/instances  in  accordance  with 
industry-standard  best  practices, 
as  well  as  provide  performance 
tuning  at  the  server  and  applica¬ 
tion  levels;  design,  implementa¬ 
tion  and  support  of  procedures 
integrating  Oracle  advanced 
features  into  new  and  existing 
environments,  including 
Advanced  Security,  Log  Miner, 
DataGuard,  Virtual  Private 
Database,  Automated  space 
and  memory  management, 
Oracle  Replication  (Multi 
Master  and  Master  snapshot), 
External  Tables  for  data  ware¬ 
housing  etc.  Defined  duties 
include:  primary  support  of 
Oracle  and  logical  and  physical 
data  modeling  for  the  Enterprise 
Data  Warehouse  using  Erwin; 
capacity  planning,  performance 
analysis  and  tuning  of  ERP 
applications,  Business  Objects 
universes  and  reports  in  both 
ERP  and  DS  environments  and 
ad-hoc  queries  in  EDW  and 
data  marts  and  administration 
and  support  of  the  Informatica 
ETL  suite.  Additional  respon¬ 
sibilities  include  defining, 
implementing  and  monitoring 
environments  and  configurations, 
database  requirements  analysis, 
security  management,  design 
and  implementation  of  back-up 
/recovery  and  disaster  recovery 
using  RMAN  &  EMC  Time 
finder  strategies,  implementation 
and  support  of  the  Appworx 
scheduling  tool,  deploying 
Oracle  Enterprise  Manager 
(OEM)  as  an  enterprise-wide 
monitoring  tool,  implementation 
of  centralized  name  resolution 
strategies  using  LDAP,  devel¬ 
opment  of  PL7SQL  scripts  to 
proceduralize  database  admin¬ 
istration  tasks  and  troubleshoot¬ 
ing  of  production  issues  as  they 
occur.  Unix  is  used  for  database 
requirements  analysis  and 
creation  of  scripts  for  execution 
of  system  application  functions. 

Bachelor's  in  Computer  Science 
or  Electrical  Engineering,  two 
years  experience  in  job  offered 
or  as  a  database  analyst  is 
required.  Must  have  Oracle 
DBA  Certification. 

The  University  of  Illinois  offers 
a  full  benefits  package  that 
includes  health  care,  dental 
care,  life  insurance,  24  vacation 
days  per  year,  tuition  waivers 
and  other  benefits. 

To  apply  for  this  position,  please 
submit  a  letter  of  application 
specifying  position  title,  a 
resume,  and  the  names  and 
telephone  numbers  of  three 
references  who  can  verify  your 
ability  to  carry  out  the  duties 
described  above  to: 

Administrative  Information 
Technology  Services 
Human  Resources 
50  Gerty  Drive,  MC/673 
Champaign,  IL  61820 

Email:  aitshr@uillinois.edu 

The  University  of  Illinois  is  an 
Equal  Opportunity  /  Affirmative 
Action  employer  committed  to 
excellence  through  diversity. 


OH  Manuf.  of  Eletr.  Testing 
Instruments  seeks  Network  and 
Communications  Manager  to 
provide  network  administration, 
support  for  company's  worldwide 
LANs,  file  servers,  network  com¬ 
puters;  oversee  the  configura¬ 
tion,  upgrades,  hardware  pre¬ 
ventive  maintenance;  diagnosis, 
resolution  of  network  related 
problems;  support  of  Telecom¬ 
munications,  Voice  messaging 
systems;Troubleshooting;  provide 
Software  support;  Data  Replication 
&  Development  of  Data  Replica¬ 
tion  Tools  to  assist  in  data  sharing 
between  Offices  and  Mobile 
Field  Service  Engineers;  admin¬ 
istration  of  maintenance  agree¬ 
ments  with  company's  vendors; 
develop/implement  the  virtual 
private  network  for  company's 
business;  development,  deploy¬ 
ment  of  in-house  developed 
business  systems/application 
databases;  recommend/acquire 
PC  related  hardware/  software. 
Min.  2  yrs.  in-job  exp.,  including: 
Novell  Netware  Servers;  Novell 
CNE,  Microsoft  NT  Servers;  Lotus 
ccMail;  Lotus  Notes  Server; 
mobile  communications  experi¬ 
ence  over  a  global  area;  network 
security;  management  experience. 
Travel  req.  Resumes  to  P.O.  Box 
568,  44  East  Exchange  Street, 
Akron,  OH  44328.  No  calls.  EOE. 


Computer  Systems  Analyst  who 
will  plan,  analyze,  design,  develop 
and  enhance  ERP  and  client 
server  based  applications  using 
working  knowledge  of  People- 
Soft  Financials  6.0/7.0/7.5/8.4, 
PeopleCode,  People  Tools,  SQR, 
Crystal  Reports  and  nVision.  Will 
design,  implement  and  cus¬ 
tomize  PeopleSoft  HRMS  and 
Financial  Applications  using 
SYBASE,  UNIX,  JDBC,  PL/SQL, 
Oracle  8.x,  Windows  NT/98, 
Java  2.0  and  JDK.  Applicant 
must  have  at  least  five  and  one 
half  years  experience  planning, 
analyzing,  designing  and  en¬ 
hancing  ERP  and  client  server 
based  applications.  Applicant 
must  have  working  knowledge 
of  PeopleSoft  Financials  6.0 
/7.0/7.5/8.4,  PeopleCode,  People 
Tools,  SQR.  Crystal  Reports, 
nVision,  SYBASE,  UNIX,  JDBC, 
PL/SQL,  Oracle  8.x,  Windows 
NT/98,  Java  2.0  and  JDK.  Appli¬ 
cant  must  have  a  Bachelor 's 
degree  or  foreign  degree  equiv¬ 
alent  in  Engineering  or  Computer 
Science.  Work  involves  extensive 
travel  and  frequent  relocation. 
$70, 500/year,  40  hours/week, 
9:00am-5:00pm.  Send  resume, 
listing  Job  Order  Number  WEB 
253751 ,  to  JS  Supervisor,  Green 
County  Team  PA  CareerLink,  4 
West  High  Street,  Waynesburg, 
PA  15370-1324. 


PROGRAMMER/ANALYST  to 
analyze,  design,  develop,  test, 
implement  and  maintain  business 
critical  credit  card  application 
software  in  a  client/server  envi¬ 
ronment  using  C,  C++,  Oracle, 
Pro'C,  PL/SQL,  SQL*Loader, 
SQL  Plus  Reports  and  Visual 
Basic  under  UNIX  and  DOS 
operating  systems.  Require:  B.S. 
degree  in  Computer  Science/ 
Engineering,  Management  Infor¬ 
mation  Systems,  or  a  closely 
related  field  with  two  years  of 
experience  in  the  job  offered. 
Competitive  salary  offered.  Send 
resume  to:  Debra  L.  Crow, 
Citibank  Universal  Card  Services, 
8787  Baypine  Road,  Jacksonville, 
FL  32256;  Attn:  Job  PN. 


Business  Objects  has  an  opening 
for  the  position  of  Computer 
Systems  Analyst  to  be  based  out 
of  our  Chicago,  IL  office.  The 
Computer  Systems  Analyst  has 
an  overall  responsibility  for  data 
warehousing,  client/server  appli¬ 
cation  design  &  development. 
The  position  requires  a  min.  of  a 
Bachelor's  degree  or  equivalent 
in  Computer  Science,  Information 
Systems,  Business  (MIS)  or  re¬ 
lated  &  two  years  experience  in 
IT  or  Consulting/Development. 
To  apply  for  a  position  visit  our 
website  at  www.businessobiects. 
com/careers  or  forward  your 
resume  (ref  IW0402)  to:  Business 
Objects  Americas,  Attn:  Staffing, 
3030  Orchard  Pkwy,  San  Jose, 
CA  95134.  EOE 


Computerworld 


IVR  PROGRAMMER/ANALYST 
to  analyze,  design,  develop,  con¬ 
figure,  implement  and  test  soft¬ 
ware  and  databases  for  voice 
network  using  Edify  IVR;  Design 
and  develop  speech  recognition 
software  using  Nuance  and 
DialogBuilder  APIs;  Design,  test 
and  implement  CTI  systems  using 
Nortel  TAPI  server  and  CT 
Connect;  Analyze  and  report 
CCMIS;  Integrate  IVR  systems 
with  PBXs,  ACDs  including 
Rockwell  and  Aspect,  and  data¬ 
bases  including  Oracle.  Require: 
B.S.  degree  in  Computer  Science, 
an  Engineering  discipline,  or  a 
closely  related  field  with  two 
years  of  experience  in  the  job 
offered  or  as  a  Systems  Analyst. 
Extensive  travel  on  assignments 
to  various  client  sites  within  the 
U.S.  is  required.  Competitive 
salary  offered.  Send  resume  to: 
Harish  Krishna,  VP  IVR/Speech 
Solutions,  Sages  Networks  Inc., 
1106  Briarcliff  Place,  Atlanta, 
GA30306;  Attn:  Job  VC. 


SENIOR  SOFTWARE  ENGI¬ 
NEER  to  design,  develop,  test, 
implement  and  support  application 
software  for  the  telecommunica¬ 
tion  industry  using  object  oriented 
programming,  J2SE,  J2EE,  C, 
C++,  Java,  UNIX  Shell  Scripts, 
EJB,  CORBA,  UML  and  Visio 
under  UNIX,  Windows  and  DOS 
operating  systems.  Require:  M.S. 
degree  in  Computer  Science, 
Systems  Science,  or  a  closely 
related  field  with  two  years  of 
experience  in  the  job  offered 
or  as  a  Programmer/Analyst. 
Extensive  travel  on  assignment 
to  various  client  sites  within  the 
U.S.  is  required.  Competitive 
salary  offered.  Send  resume 
to:  Roz  L.  Alford,  Principal,  ASAP 
Staffing  LLC,  3885  Holcomb 
Bridge  Rd.,  Norcross,  GA 
30092;  Attn:  Job  AM. 


SPL-WorldGroup  is  an  interna¬ 
tional  builder  of  customer  infor¬ 
mation  systems  for  utility  com¬ 
panies.  We  are  currently  looking 
for  individuals  to  work  in  our 
development  centers  in  San 
Francisco,  California;  Morristown, 
New  Jersey;  Chicago,  Illinois  and 
other  various  unanticipated  sites 
throughout  the  United  States  as: 
Programmer  Analysts 
Systems  Analysts 
Database  Administrators 
System  Administrators 
Software  Engineers 
•Travel  is  required  for  some 
positions. 

SPL  WorldGroup,  Inc. 

75  Hawthorne  Plaza,  Suite  2000 
San  Francisco,  CA  94105 
Attn:  Jennifer  Bowman 
Fax:415-977-4551 
E-mail: 

jennifer_bowman  @  splwg.com 


Prog./Analyst.  Job  location: 
Overland  Park,  KS.  Duties: 
Resp.  for  testing  &  verifying  code 
for  Telecom.  PCS  IT  AD  testing 
lab  using  Silk  Test.  Support 
testing  activities  for  key  develop, 
efforts  &  support  system  environ. 
Develop,  write  &  maintain  test 
guidelines,  test  cases  &  scripts. 
Determine  test  requirements  & 
coord,  test  scheduling.  Conduct 
systems  integration  tests,  load 
testing  &  perform  functional  test¬ 
ing  using  Segue  Products  & 
Rational  Products  incl.  Rational 
Test  Suite.  Requires:  B.S.  in 
Comp.  Sci.,  Info  Tech.,  Eng.  or  a 
related  field  &  2  yrs.  exp.  in  the 
job  offered  or  2  yrs.  exp.  as  a 
Systems  Analyst  or  Prog.  Will 
accept  any  comb,  of  educ.  &  exp. 
equiv.  to  a  B.S.  degree.  Concurrent 
exp.  must  incl.  2  yrs.  exp.  per¬ 
forming  functional  testing  using 
Rational  Test  Suite  &  2  yrs.  exp. 
developing  &  writing  test  cases 
&  scripts.  Send  resume  (no  calls) 
to:  Danielle  David,  CTG,  Inc., 
13220  Metcalf  Ave.,  Ste.  140, 
Overland  Park,  KS  66213. 


•  July  15,  2002 


DATABASE  ADMINISTRATOR 
to  administer,  design,  develop, 
maintain  and  support  OLTP  and 
DSS  using  SQL,  PL/SQL, 
Stored  Procedures,  Functions, 
Triggers,  packages  and  SQL'Plus 
on  SUN  Solaris  Platform  with 
Oracle  Parallel  Server  and  Oracle 
Advanced  Replication  options; 
Develop  procedures  to  extract, 
transform  and  load  data  from 
legacy  systems  into  Data  Ware¬ 
house  databases  using  FTP 
tools,  SQL'Loader,  UNIX  Shell 
Scripting  and  PERL  Scripting; 
Perform  backup  recovery  using 
RMAN,  Net  Backup,  Veritas  and 
Export/lmport  utilities;  Tune  Oracle 
databases  for  optimal  performance 
using  STATSPACK;  Estimate 
hard  disk  and  memory  require¬ 
ments  using  UNIX  tools;  Monitor 
database  activity  using  OEM  and 
TOAD.  Require:  Master's  degree 
in  Computer  Science,  an  Engi¬ 
neering  discipline,  or  a  closely 
related  field  with  two  years  of 
experience  in  the  job  offered. 
Extensive  travel  on  assignment 
to  various  client  sites  within  the 
U.S.  is  required.  Competitive 
salary  offered.  Send  resume  to: 
Krishna  Mupparaju,  Data  Matrix 
Associates,  Inc.,  102  Furlong 
Court,  Frankfort,  KY  40601  Attn: 
Job  ST. 


COMPUTER/IT 

RICE  /  HR  Technical  Developer. 
(Troy,  Ml).  Req.  Bachelor's  degree 
or  equiv.  foreign  educ.  in  comp, 
science,  mgmt.  info,  systems,  or 
eng.  field,  &  2  yrs.1  exp.  in  the 
job  offered  or  2  yrs.1  exp.  in  the 
development,  implementation 
&  support  of  SAP  R/3  Human 
Resources  module,  including 
Personnel  Admin.,  Personnel 
Development,  Time  Mgmt.  & 
Payroll  sub-modules,  using  ABAP 
14.  All  stated  exp.  must  include 
the  following:  the  use  and  con¬ 
figuration  of  ALE  (application  link 
enabling);  implementation  of  user 
exits  and  BADI’s  (business  add¬ 
ins),  &  BAPI's  (business  appli¬ 
cation  programming  interfaces); 
creation  of  Custom  Infotypes;  & 
performance  tuning  of  SAP  R/3 
transactions  &  programs.  Exp. 
must  include  one  full  life-cycle  of 
SAP  R/3  development.  40  hrs./ 
wk.  9:00-5:00.  Apply  with  resume 
to  Jennifer  McKenzie,  Delphi 
Corporation,  5825  Delphi  Drive, 
Troy,  Michigan  48098.  EOE. 
Reference  #0803  when  applying. 


SR.  SAP  ENGINEER/CONSUL¬ 
TANT  to  analyze,  design,  devel¬ 
op  and  implement  customized 
software  applications  using  SAP 
R/3;  Consult  with  and  mentor 
client  personnel  in  the  Logistics 
and  Financial  components  of 
the  SAP  R/3  software;  Design, 
develop,  implement  and  integrate 
complex  client  -server  solutions, 
including  infrastructure  and 
organizational  structure.  Req: 
Bach.  deg.  (or  foreign  equiv.)  in 
Comp.  Info.  Systems,  Mgt.  Info. 
Systems.  Business  Admin,  or 
a  related  field,  with  3  yrs.  of  exp. 
in  the  job  offered  or  as  a  SAP 
Consultant.  Prior  exp.  must  include 
3  yrs.  using  SAP  R/3.  Competitive 
salary  and  benefits.  Send  resume 
to:  Pieter  Badenhorst,  TExperts, 
Inc.,  7740  Roswell  Rd.,  Suite 
600E,  Atlanta,  GA  30350 


Senior  Database 
Administrator 


Oracle  database  administration 
including  installation, 
configuration,  tuning,  back-up 
and  recovery.  Required: 
Master's  degree  in  Comp 
Sci/Eng/Related  or  equivalent; 
and,  certification  as  Oracle 
Database  Administrator.  In 
Bellevue,  WA.  Resumes  to: 
Logical  Networks,  Inc. 
Human  Resources, 

4224  6th  Avenue,  Bldg  2, 
Lacey,  WA  98503 


Raj  Consultants.  Inc.,  a  software 
consulting/project  development 
company  has  multiple  openings 
nationwide  for  Programmer/Sys¬ 
tems  Analysts,  Software/Com¬ 
puter  Engrs.,  Database/Systems 
Admins.,  Database  Analysts, 
Unix/Network/NT  Admins.,  and 
Project  Leaders  with  experience 
in  the  following:  Unix,  C/C++, 
Java,  EJB,  JDBC,  Corba,  Visual 
Basic,  PowerBuilder,  Oracle, 
Dev.  2000,  Sybase,  Windows  NT, 
ASP,  Crystal  Reports,  ERWin, 
Perl,  HTML/DHTML,  VBScript, 
Sun  Solaris,  SCO  Unix,  Net¬ 
working  Protocols,  AS/400,  Client 
MOO,  VAX/VMS,  Vignette  Story 
Server,  Perl,  TCL,  Novell  Net¬ 
Ware,  Visual  SourceSafe,  ActiveX 
controls,  Lotus  Notes,  Cobol, 
PeopleSoft,  JDEdwards  Integra¬ 
tion,  WebMethods,  and  MS  Office 
tools.  Some  openings  require 
bachelor's  degree,  some  masters's 
degree  with  at  least  2  or  more 
yrs  exp.  Equivalent  degree  and 
exp  also  accepted.  Exc.  pay  & 
benefits.  Travel  and  relocations 
may  be  required.  Pis  indicate 
the  position  you  are  applying 
for.  Email  resumes  to:  rai@ 
rci-consultina.com  or  mail  to:  HR 
Dept.,  Raj  Consultants, Inc., 
1133  Green  Street,  Iselin,  NJ 
08830. 


Talent  is 
the  fuel  of 
the  new 
economy. 


Fill  up 
with 

ITcareers. 


ITcareers  and 
TTcareers.com 
can  put  your 
message  in  front 
of  2/3  of  all  US 
IT  professionals. 
If  you  want  to 
make  hires, 
make  your  way 
into  our  pages. 
Call  Janis 
Crowley  at 
1-800-762-2977 
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Principal  Consultant  needed  at 
client  sites  to  lead  full  cycle 
implmtn,  maintain  &  support 
Oracle  E-Business  Suite.  Apply 
to  ThoughtDigital,  48  Broad  St, 
Red  Bank,  NJ  07701. 


IT  Firm  with  operations  based  in 
Alexandria,  VA  has  multiple 
openings  for  IT  professionals.  All 
positions  require  related  college 
degrees  and  relevant  skills.  Some 
of  the  skill  sets  needed  include: 

•  Design  &  development  of  Oracle 
based  applications 

•  Oracle  DBA 

•  Software  testing  using  manual 
and/or  automated  tools 

•Web-based  applications 
development  using  JAVA,  HTML, 
SQL  Server,  JAVA  SERVELETS 

•  EJB 

Entry,  mid-level,  &  senior  level 
positions  available.  Competitive 
salary.  Send  resume  to  kmulder 
©realeum.com.  AN  EQUAL 
OPPORTUNITY  EMPLOYER. 


Knr 


Kama  Consulting  Inc. 

TOP  $$’s,  W2  or  1099 


We  are  a  fast  growing 
Consulting  company  based 
in  North  Carolina. 
Excellent  opportunities  for 
Programmers, 

Systems  Analysts,  DBAs. 

Sun  Solaris  System  Admins, 
Natural,  Powerbullder, 
ADABAS,  ORACLE,  SYBASE, 
PROGRESS,  COBOL 
TCP/IP,  DelphiA/B,  Windows  NT 

Send  your  resume  to 
Rod  McFadden 
Kama  Consulting 
Fax:  704-896-9660 
EmaiLKamaco®  aol.com 


Developer/Analyst;  Perform  life 
cycle  application  development  in 
areas  including  Oracle,  &  DBMS 
applications,  object  oriented 
design  &  development  &  GUI 
development.  Job  sites  throughout 
US.  Apply  to:  Aljona  Interservice, 
LLC,  791  Robert  Treat  Drive, 
Orange,  CT  06477 
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Cap  Gemini  Ernst  &  Young  U.S. 
LLC  is  currently  seeking 
individuals  to  fill  Consultant  and 
Manager  positions  in  multiple 
locations  nationwide,  and  in 
California  including  the  Orange/LA 
counties  area,  San  Jose  area 
and  the  San  Francisco  Bay  area. 
To  apply,  please  select 
Careers/Job  Search  at 
www.us.cgey.com  and  then 
Doorway  to  Opportunity.  Use 
password  50861  for  Manager  or 
50862  for  Consultant. 


Software  Engineers  needed:  Im¬ 
plement  Oracle  applications  at 
client  sites;  Perform  conversions 
and  develop  migration  plans  for 
importing  legacy  financial  data  in 
to  Oracle  modules.  Work  with  3 
of  the  following:  Oracle,  UNIX, 
SQL  Server,  Shell  Scripting,  Re¬ 
ports  or  Developer.  Requires 
MS/BS  degree  or  equivalent 
and/or  relevant  work  experience. 
Mail  resume,  references  and 
salary  requirements  to:  Data 
Road  Inc.,  10151  Deerwood 
Park  Blvd.,  Bldg.  100,  #120, 
Jacksonville,  FL  32256. 


Smartsoft 

Programmer  Analyst  (2  positions) 
to  analyze,  develop  and  maintain 
web  and  client  server  appls  using 
Java,  XML,  HTML,  VB,  Active  X, 
Oracle,  etc  under  Windows  OS; 
perform  database  monitoring 
and  quality  control,  coding  and 
testing  of  projects;  generate 
batch  reports  from  existing  data 
and  debug  for  better  perfor¬ 
mance.  Require:  BS  or  foreign 
equiv  in  CS  or  Engg  (any 
branch)  with  6  months  exp  in 
IT.  Travel  to  client  site  in  US. 
Competitive  salary.  F/T  position. 
Send  Resume  to:  Smartsoft 
International,  Inc.,  4898  South 
Old  Peachtree  Road,  Suite  200, 
Norcross,  GA  30071. 


♦ 


Computer/IT/lS  Professionals: 
INFOERA  SYSTEMS,  INC.,  a 
Delaware  Corporation  has 

multiple  openings  nationwide 
to  research,  analyze,  design, 
develop,  test  and  implement 
computer  based  programs  and 
systems.  Willing  to  Travel  and 
relocate  any  where  in  US. 
Expertise  /skills  in  RDBMS, 
Oracle,  Sybase,  MSSQL,  PL 
/SQL,  OOPS,  C/C++,  VB,  ASP, 
XML,  CFML,  Java,  J2EE,  JSP, 
JMS,  JMAPI,  JDBC,  EJB,  JRun, 
Web  Logic.  Qualified  candidates 
must  have  a  Bachelor's  or  Master's 
degree  in  Computer  Science 
or  equivalent  and  2+  years  of 
progressive  work  experience. 
Ref:  IESI02PR 1 .  Apply  by  visiting 
www.infoerasystems.com  or  Fax 
your  resume  to  732-926-8376. 


SYSTEMS  ANALYST-Quantita- 
tive-  based  financial  manage¬ 
ment  firm  seeks  Systems  Analyst 
to  provide  software  support  & 
database  management  for  com¬ 
puter-driven  trading  &  accounting 
systems  in  a  networked  Sun/ 
Solaris  UNIX  environment.  Duties 
include  software  development, 
maintenance  &  testing  for  equities 
database  &  various  reporting 
programs.Successful  applicants 
must  have  Master's  in  Computer 
Science  &  at  least  one  year 
experience  in  job  duties  or  one 
year  exp.  as  Systems  Analyst/ 
Software  Engineer.  Salary  accord¬ 
ing  to  experience.  Mail  resume 
to  RTC,  600  Route  25A,  East 
Setauket.  NY  11733,  Attn:  RMSB 


Information  Systems  Engineer 
wanted  in  Conroe,  TX  to  set  up, 
implement  and  manage  infor¬ 
mation  systems  and  network  for 
order  entry,  inventory  control, 
production  and  cost  accounting 
systems,  ensuring  compliance 
with  international  petroleum 
industry  standards.  Req.  B.Sci. 
in  Comp.  Sci  or  Eng.  plus  2 
yrs  exp.  in  the  job,  Mail  resumes 
to  Mr.  Tony  Deeb,  President, 
Packard  International,  Inc. 
22397  White  Oak  Drive,  Conroe, 
TX  77306.  No  phone  or  fax. 


Software  Engineer  II  -  ABAP/ 
SAP  Conduct  needs  anal.  & 
determine  SAP-based  IS  req.  in 
Materials  Management,  Sales, 
Accounting  &  Financial  areas, 
using  appropriate  SAP  R/3  mod¬ 
ules.  Design,  develop,  install, 
maintain  &  upgrade  syst.,  soft¬ 
ware  &  servers.  Develop  SAP 
R/3  applications,  &  integrate  w / 
web  &  other  syst.  using  ALE/ 
EDI,  Idocs,  BAPI,  RFC,  SAP 
Connectors,  Middleware.  B.S.  or 
equiv.  in  Computer  Sci.  or  related 
Engineering  field,  +  2  yrs  exper. 
Send  resume  to  VP,  HR,  En 
Pointe  Technologies,  100  N. 
Sepulveda  Blvd.,  19th  FI.,  El 
Segundo,  CA  90245 


♦ 


Rapattoni  Corporation  is 
looking  for  a  Sr.  Magic 
Applications  Programmer/ 
System  Analyst.  Applicant 
should  have  BS  or  equivalent 
w/skills  of  Magic  Program¬ 
ming  &  Btrieve.  Job  site/ 
interview:  Simi  Valley,  CA 
Please  email  your  resume 
to:  Bret@rapattoni.com 


GUI  Software  Developer  (Char¬ 
lotte,  NC):  Design,  develop,  inte¬ 
grate  implement  &  test  N-tier, 
client-server-database  applica¬ 
tions.  Work  w/  Microsoft  Visual 
InterDev  ASP,  java-script  HTML, 
ActiveX,  XML  environment; 
Work  w/  multiple  databases. 
Integrate  existing  applications 
into  Microsoft  Net  Framework 
using  ASP.Net,VB.Net,C#.  Req. 
BS  or  its  foreign  degree  equivalent 
in  C.  Sc.  +  2  yr.  exp.  in  job  offered. 
Resume  to  Personnel  manager, 
WebTone  Technologies,  3390 
Peachtree  Rd,  Ste  600,  Atlanta, 
GA  30326 


TX  software  and  development 
Co.  seeks  Software  Eng.  to 
assist  with  the  analysis,  design, 
code,  test  and  implementation 
for  the  applications;  system 
development  life  cycle  method¬ 
ologies  and  relational  database 
design.  Min.  requirements: 
Bachelor's  Degree  in  Computer 
Information  Systems  or  equiv. 
based  on  a  credentials  evalua¬ 
tion,  and  3  months  exp.  in-job  or 
job-related  including  experience 
with  Oracle  8i/9i,  PDM  with 
eMatrix  (MQL,  Java  ADK),  Td/Tk, 
Oracle  Designer  6/6i,  Erwin, 
Oracle  9i  IAS,  Oracle  forms  (web). 
Oracle  Reports(web)Pro*C,  Sql 
Loader,  PL/SQL  (cartridges), 
J2EE,  Unix  Shell  Scripting,  Data 
Migration,  developing  test  scripts, 
JAD  facilitator,  data  warehouse 
with  Cognos.  Resumes  to 
Inforide  Technologies  LLC,  8705 
Shoal  Creek  Blvd,  Suite  #108, 
Austin,  TX  78757.  No  calls. 


Dir  of  Development  to  provide 
technical  leadership  to  analyze, 
design  &  implement  appls  using 
Delphi,  Java.  VB,  ERWin  on 
Windows  OS;  manage  databases 
using  Oracle,  Dev  2000,  Ms 
Access,  SQL,  etc;  interacts  with 
business  users  to  gather  require¬ 
ments;  review  project  requests 
and  prioritize;  assign,  direct, 
manage  development  team; 
plan/execute  QC  policies.  Req: 
MS  in  CS  /  Engg.  (any  branch) 
with  3  yrs  exp  in  job  offered. 
A  BS  or  foreign  equiv  in  CS  or 
Engg  (any  branch)  with  5  yrs  of 
relevant  progressive  exp  will  also 
be  accepted.  Highly  competitive 
salary.  F/T  position.  Resume  to 
HR,  Get  Proof,  Inc.,  3050,  Royal 
Blvd  South.,  Ste  195,  Alpharetta, 
GA  30022 


SOFTWARE  ENGINEER 
DotCom.Team  is  looking  for  Soft¬ 
ware  Engineers.  The  candidate 
must  have  extensive  experience 
in  internet  technologies  like  Web 
Methods,  Vignette  Storyserver, 
Java,  VC++,  JSP,  XML,  ASP  etc. 
The  job  will  require  travel  to 
client  sites  throughout  the  US. 
Min.  req.  include  a  BS  in  Engg. 
or  a  subspecialty  field  in  engg., 
or  math,  computer  science,  or 
physics,  and  five  years  of  pro¬ 
gressive  work  experience  as  a 
Software  Engineer.,  ora  Master's 
degree  in  one  of  the  above  fields 
and  2  years  of  progressive 
experience  as  a  Software  Engi¬ 
neer. 

DotCom.Team,  LLC 
Attn:  Bharat  Agrawal 
22  River  St.,  Suite  A-4 
Braintree,  MA  -  02184 
Email  -  bharat@dotcom-team.com 


Market  Research  Analyst  II, 
E-Commerce/B2B:  Conduct  mkt 
research  for  computer  products 
&  services  to  determine  potential 
&  maintain  &  improve  sales 
&  mkt  penetration.  Establish, 
design  &  administer  formats  for 
mkt  research  &  analysis,  prepare 
reports  &  analyses,  &  use  to  help 
determine  mkting  strategy  & 
focus.  Train  &  supervise  staff  & 
junior  analysts.  Follow  up  to 
determine  effectiveness  of 
methods  &  efforts  of  competitors. 
BA  or  equiv  + 1  year.  Respond  to 
VP,  HR,  En  Pointe  Technologies, 
100  N  Sepulveda  Blvd,  19th  FI, 
El  Segundo,  CA  90245. 


Director,  Bus.  Planning,  E-Com- 
merce/B2B.  Formulate  policy 
&  strategy  to  identify  alliance 
partners  &  institutional  customers 
for  services,  &  forge  alliances. 
Develop  &  oversee  gathering  & 
analysis  of  demographic,  market, 
products,  etc.  data;  interface  w/ 
mgmt,  sales  &  mkting  groups  to 
focus  &  implement  strategy. 
MBA  &  min.  2  yrs.  experience  in 
same  or  related  area.  Send 
resume  to  VP,  HR,  En  Pointe 
Technologies,  100  N.  Sepulveda 
Blvd.,  19th  FI.,  El  Segundo,  CA 
90245. 


Special  Projects  Director  for 
company  located  in  Grand 
Prairie.  Texas.  40-hour  week, 
8a-5p,  Masters  or  foreign  degree 
equivalent  in  Computer  Science 
and  1  year  experience  as  a 
Systems  Analyst.  Supervise  1 
employee.  Responsible  for  IT 
project  management  including 
planning,  designing  and  imple¬ 
menting  technology  solutions  in 
order  to  reduce  production  costs 
and  increase  efficiency.  Fax 
resume  to  Human  Resources 
972-642-9987. 


Software  Engineers  (2  positions) 
to  analyze,  design  develop  web 
based  client/server  appls  using 
VC++,  HTML,  Java,  Beans,  JSP, 
EJB,  XML,  VB,  Servlets.  PL 
/SQL,  Oracle,  MS  Access  under 
Windows,  UNIX,  &  Weblogic 
appl  server  platforms;  design/ 
develop  prototype  models  (Use- 
Case)  using  Rational  Rose;  trouble 
shoot  S/W  and  H/W  problems 
and  recommend  upgrades;  in¬ 
teract  and  mentor  other  project 
team  members  &  end  users. 
Require:  MS  in  CS  or  Engg.  (any 
branch)  with  3  yrs  exp  in  IT.  BS 
or  foreign  equiv  in  CS  or  Engg 
(any  branch)  with  5  yrs  of  rele¬ 
vant  progressive  exp  will  be 
accepted.  Competitive  salary. 
Req.  travel  to  client  sites.  F/T. 
Resume  to:  Unilinx,  Inc.,  4625, 
Alexander  Dr,  Ste  1 1 0,  Alpharetta, 
GA  30022 


QUALITY  CONTROL  ENGI¬ 
NEER-  Quantitatively-based 
financial  management  firm  seeks 
experienced  Quality  Control 
Engineer  for  its  Database  de¬ 
partment.  Duties  include  running 
estimations  &  simulations  of 
market  software,  analyzing 
results  &  tracking  unexpected  re¬ 
sults  or  bugs  through  complex 
mathematical  algorithms  requiring 
knowledge  of  linear  algebra  & 
advanced  statistical  methods. 
Successful  applicants  must 
possess  Master's  degree  in 
Computer  Science  and  at  least 
one  year  experience  in  job  duties 
or  one  year  experience  as 
Systems  Analyst  working  with 
financial  instruments  software. 
Salary  according  to  experience. 
Mail  resume  to  RTC,  600  Route 
25A,  East  Setauket,  NY  11733, 
attn:  RM. 


SavaJe  Technologies  Inc.  has  an 
opening  in  its  Lisle,  IL  office  for  a 
Software  Developer  II  who  has  a 
Bach,  in  Computer  Sci.  or  Eng.  & 
5  yrs  C/C++  prog,  exper.,  incl.  2 
yrs  of  exper.  w/  Java  &  exper. 
w/  Visual  Studio,  JavaSpace. 
implementation  of  Java  API 
class  libraries  &  utilizing  object- 
oriented  modeling  technique 
methodologies.  Interested  can¬ 
didates  should  send  resume 
to  Ref.  SDH,  Julie  A.  Geren, 
Human  Resources  Manager,  1 1 
School  Street,  North  Chelmsford, 
MA  01863. 


Conslt.  Comp.  req.  Progg. 
Analyst  w/BS  degree  or  equiv 
equivl.  &  18  mos.  exp.  Des.  and 
Dev.  automated  control  system's 
Embedded  device  process  to 
control  valve  system  with  C / 
Unix/USX/Sea-change.  Des. 
process  for  remote  server  to 
get  automated  device  status 
remotely  using  C/Unix.  Dev. 
process  for  control  device 
screens  W/C.  Des.  in  house 
modbus  and  distribution  protocol 
for  client-server  control  system. 
Travel  to  various  client  sites 
anywhere  in  US  is  required. 
Send  res  to  Recruiter,  Hirsh 
Information  Sys,  Suite  #L,  10 
Ari  Dr,  Somerset,  NJ  08873. 


Software  Engineers  &  Program¬ 
mers.  Analyze,  design,  develop 
and  test  applications  for  online 
security  and  utility  industries 
in  C,  C++,  Java,  MQSeries, 
Websphere  Application  Server 
4.0,  Oracle,  DB2,  PL/SQL,  UML, 
Security  API's,  PKI,  Rational 
Rose,  XML,  Servlets,  EJB,  J2EE 
and  related  security  technologies. 
Prevailing  wage/benefits.  Con¬ 
sulting  positions  requiring  travel 
to  client  sites.  Send  resume  to 
HR,  Trinsol,  Inc.  1205  Spring 
Ridge  LN,  Flowermound,  TX 
75028. 
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Seeking  qualified  applicants 
for  the  following  positions  in 
Memphis,  TN:  Sr  Business 
Application  Analyst:  Coordinate 
/serve  as  liaison  between  tech¬ 
nical  developers  and  users/ 
customers.  Requiremenls:  bach¬ 
elor's  degree*  in  computer  sci¬ 
ence,  math,  statistics,  business 
or  related  field  plus  5  years  of 
experience  in  analyzing  business 
systems  and  developing  technical 
automated  solutions.  Experience 
with  PeopleSoft  applications, 
SQR  and  Informix  also  required. 
Senior  Programmer  Analysis 

12)-.  Formulate/define  functional 
requirements  and  documentation 
based  on  accepted  user  criteria. 
Requirements:  bachelor's  degree* 
in  computer  science,  MIS,  engi¬ 
neering  or  related  field  plus  5 
years  of  experience  in  systems 
/applications  development.  Ex¬ 
perience  with  Oracle  and  UNIX 
scripting  also  required.  *A  master's 
degree  in  the  stated  field  can 
offset  2  years  of  required  expe¬ 
rience  for  any  of  the  positions. 
Please  indicate  which  position 
you  are  applying  for  on  your 
resume.  Submit  resumes  to  Sibi 
George,  FedEx  Corporate 
Services,  1900  Summit  Tower 
Blvd.,  Suite  1400,  Orlando,  FL 
32810.  EOE  M/F/DA/. 


Senior  Software  engineer- 
Design  &  implement  Network 
Management  System  software 
on  Cisco  platform  using  Cisco 
Element  Manager  Framework, 
C++,  Unix  &  Object  Oriented 
design  &  development  method¬ 
ologies.  Design  management 
systems  software  by  analyzing 
Management  Information  Base 
&  develop  Network  Management 
System  software  using  Simple 
Network  Management  Protocol. 
Must  have  Master's  degree  in 
Computer  Science,  Electrical 
Engineering  or  related  field  & 
one  year  of  experience  as  Soft¬ 
ware  Designer  Communication 
Network  Management.  To  apply: 
Send  resume  to  attn:  Angie 
Lebitz,  Cyberwerx.  Inc.  13000 
Weston  Parkway,  Ste.  1 09,  Cary, 
NC  27513. 


SOFTWARE  ENGINEER-Quan- 
titative-based  financial  manage¬ 
ment  firm  seeks  Software  Engi¬ 
neer  for  its  Production  department. 
Duties  include:  develop  &  maintain 
computer  links  between  futures 
trading  system  &  trading  desk; 
write  new  programs  for  real-time 
data  area  &  real-time  systems, 
including  programs  to  handle 
real-time  aspects  of  data  feeds 
&  serving  data  in  real-time  to 
(program)  clients;  create/verify 
mathematical  trading  models 
for  real-time  trading  systems. 
Successful  applicants  must 
possess  Master's  in  Computer 
Science,  Mathematics  or  Physics 
&  at  least  one  year  experience  in 
job  duties  or  one  year  experience 
as  Software  Engineer  engaged 
in  theoretical  analysis.  Salary 
according  to  exp.  Mail  resume 
to  RTC,  600  Route  25A,  East 
Setauket,  NY  1 1 733,  Attn:  GHEV 


F/T  Software  Applications  Engi¬ 
neer.  Responsible  for  modifying 
and/or  enhancing  new  as  well  as 
existing  applications.  Analyze 
business  requirements  &  design 
&  develop  documentation  to 
support  business  requirements 
&  specify  software  design  changes 
as  well  as  implement  &  test 
designs.  Work  w/  multi-threading, 
MS  Visual  C++.  COM,  C,  C++ 
UML,  Rational  Rose,  VB.  Star 
Team  &  Visual  Source  Safe 
Must  have  Bachelor's  degree  m  j 
CS,  Electronic  &  CommuniCaii..  n.>  j 
Engin  or  related  field.  Forelc  j 
degree  equivalent  accepted  j 
Must  have  5  yrs.  exp,  in  joL  • 
offered  or  position  w/  s  <■  ‘ 
duties  Send  resume:  dyer  ■  | 
@  ups.com  or  UPS.  Job  Co+v  I 
ISSCW,  P.0  Box  833,  Ma* .,  =  I 
NJ  07430.  Attn:  Deborah  ...  ' 
Human  Resources  B-098 
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SOFTWARE  QUALITY 
ANALYST  &  DATABASE 
ADMINISTRATOR 

ADT  Security  Services,  Inc.,  the 
leading  electronic  security  ser¬ 
vices  company,  has  immediate 
openings  in  its  Boca  Raton  office 
for  experienced  Software  Quality 
Analysts  and  Database  Admin¬ 
istrators. 

Software  Analysts  will  analyze 
system  integration  and  compati¬ 
bility  issues  with  business  analysts 
and  development  teams,  design 
and  write  procedural  documents, 
analyze  software  functionality 
versus  business  process  issues 
and  work  with  users  during  train¬ 
ing. 

DBAs  will  be  responsible  for  the 
administration  of  several  pro¬ 
duction  and  development  data¬ 
bases,  analyze  database  re¬ 
quirements  of  user  departments, 
design,  develop  and  modify  tests 
and  debug  databases. 

Software  Quality  Analysts  and 
DBAs  must  possess  a  bachelor’s 
or  its  equivalent  in  computer 
science,  engineering  or  a  related 
technical  field  and  relevant  work 
experience.  Work  experience  for 
Software  Quality  Analysts  must 
include  Oracle  Applications 
/Databases/Tools  and  PL/SQL 
and  writing  and  maintaining 
automated  test  scripts. 

Work  experience  for  DBAs  must 
include  Oracle  database  admin¬ 
istration  tools  and  techniques, 
Windows  95/98,  SQL,  UNIX  (in¬ 
cluding  shell  script  programming, 
shell  interfaces  and  basic  system 
administration)  and  with  the  con¬ 
figuration,  performance  tuning, 
maintenance  planning  and  design 
of  databases. 

Resume  and/or  cover  letter  must 
reflect  each  requirement  above 
and  specify  reference  code 
SQA'DA  or  it  will  be  rejected. 

Forward  resume  to  Theresa 
Maia,  ADT,  One  Town  Center 
1  Road,  Boca  Raton,  FL  33486- 
1 1010. 


WEB  DEVELOPER 

EXECUTIVE  GREETINGS,  INC.; 
A  business-to  business  direct 
marketing  company,  has  an  im¬ 
mediate  opening  in  New  Hartford, 
Connecticut,  for  a  Web  Developer. 

Evaluate  complex  business  needs 
to  determine  technical  solutions 
to  problems  or  improvements 
to  the  business  environment. 
Create  new  systems  by  conferring 
with  users  to  determine  their 
software  needs.  Apply  technical 
and  business  solutions  and  use 
data  structure  design  and  pro¬ 
gram  technologies  to  satisfy  user 
requirements. 

Must  possess  a  bachelor’s  degree 
or  its  equivalent  in  Computer 
Science  or  a  related  field  and  rel¬ 
evant  work  experience,  including 
Windows  NT/98,  Sun  Solaris, 
Java,  Java  Script,  HTML,  XML, 
Oracle,  SQL  Server,  ASP,  C++, 
EJB,  J2EE,  JSP,  and  Weblogic. 

Resume  and/or  cover  letter  must 
reflect  each  requirement  above 
and  specify  reference  code  WD 
or  It  will  be  rejected. 

Forward  resume  to:  Lucy 
Chwaszczynski  at  Executive 
Greetings,  Inc.  120  Industrial  Park 
Access  Road,  New  Hartford,  CT 
06057. 


Software  Engineers  needed. 
Seeking  qual,  cand.  possessing 
MS/BS  or  equiv.  in  ICS,  CS,  EE 
or  related  and/or  relevant  work 
exp.  Design,  implement,  test  & 
support  device  drivers  &  kernal 
software  for  a  high  performance, 
headless  CISC  server.  Part  of 
the  relevant  exp.  must  include  1 
of  the  following:  12C  &  SPI,  NIC 
&  Serial.  System  and/or  Board 
bringup  exp.  highly  desirable 
as  is  is  embedded  systems 
development  exp.  Mail  resume  & 
ref.  to:  Newisys,  Attn:  HR,  10814 
Jollyville  Blvd,  Bldg.  4,  #300, 
Austin,  TX  78759. 


SENIOR  SOFTWARE 

ENGINEER 

Performs  engineering  functions 
required  to  design,  debug,  and 
document  software  products 
for  customers  as  part  of  custom 
fastening  equipment  and  systems. 
Specific  duties:  review  cus¬ 
tomer's  functional  specifications, 
and  work  with  customer’s  to  en¬ 
sure  software  product  design  will 
satisfy  documented  requirements; 
responsible  for  preparation  of 
functional  and  design  specifica¬ 
tions,  implementation  details, 
coding  and  debugging,  and 
source  code  documentation 
required  for  execution  of  a 
defined  software  project;  provide 
technical  liaison  with  outside 
software  contractors  and  cus¬ 
tomers  when  required;  prepare 
specifications  for  hardware  and 
design  services  to  be  purchased 
or  built  per  contract;  work  with 
suppliers  and  purchasing  per¬ 
sonnel  to  evaluate  quotes  on 
such  goods  and  services;  work 
with  engineering  and  plant  per¬ 
sonnel  to  develop  system  inter¬ 
faces  and  controls  methods; 
work  with  internal  production 
personnel  in  manufacturing, 
assembly  and  test  of  systems  to 
resolve  build  problems  related  to 
software  applications;  prepare 
test  procedures  and  documen¬ 
tation  of  test  apparatus  required 
to  prove  conformance  with  stated 
requirements  prior  to  delivery  or 
acceptance  by  customer;  work 
with  service  personnel  and  cus¬ 
tomer  contacts  to  diagnose  and 
resolve  technical  problems  or 
modifications  required  in  the 
field;  notify  customer  contact  of 
any  design  considerations  that 
require  deviations  from  stated 
scope  of  supply  or  compliance 
with  customer  requirements; 
assure  all  technical  changes  are 
authorized  by  company  prior  to 
execution;  assume  responsibility 
for  all  documentation  and  follow 
through  on  changes  in  a  timely 
manner;  create,  write,  and  update 
technical  users  manuals  covering 
proper  operation  of  software 
products  offered  by  company; 
and  work  with  customer  contacts 
to  execute  any  changes  in  scope 
of  supply  or  deviations  to  com¬ 
pliance  in  requirements  as 
authorized  by  company.  Require 
a  BS  with  major  in  Computer 
Science  or  Electrical  Engineer¬ 
ing  and  minimum  of  3  years  of 
related  job  experience  in  em¬ 
bedded  microprocessor  software 
/firmware  design  or  industrial 
application  software  design  at 
controller  or  server  levels,  in¬ 
cluding  experience  with  DOS 
Based  platforms  (X86  family  and 
Pentium),  software  (C++,  Windows 
family  of  operating  systems), 
and  networks  (RS-232,  RS-485, 
Ethernet).  Position  is  full  time,  40 
hrs  per  week,  8:00  am  @  5:00 
pm.  Job  site:  Auburn  Hills,  Ml.  All 
applicants  must  have  legal  right 
to  work  in  the  US.  Apply  to:  Tom 
Kosmata,  CooperTools,  4121 
North  Atlantic  Blvd.,  Auburn 
Hills,  Michigan  48326. 

EOE  m/f/v/h 


Systems  Analyst.  Competitive 
salary.  40  -  50  hrs/wk.  Responsi¬ 
ble  for  extending,  developing  and 
designing  client  interfaces  to 
automate  client's  business  re¬ 
quirements.  Internet  and  Intranet 
Web  design  and  development. 
Analyze  client’s  business  needs, 
perform  feasibility  studies,  design 
process  and  data  models  based 
on  requirement  analysis,  build 
physical  data  models,  develop, 
implement  and  test  applications. 
Lead  a  team  of  developers  to 
web  enable  procurement  system 
running  on  AS/400.  Tools  used: 
ORACLE,  Developer  2000,  De¬ 
signer  2000,  Crystal  Report, 
Java,  VisualBasic  6.0,  Project 
Library,  PLVSQL.  Pro'C,  SQL 
Plus  and  JWalk.  Require  a  BS  in 
Computer  Science  with  2  years 
on  the  job  experience  or  2  years 
of  Web  design  and  development, 
which  must  have  included  spe¬ 
cialized  web  development  tools 
and  software  Java,  J  Developer 
and  Jwalk. .  Must  have  proof  of 
permanent  legal  authorization 
to  work  in  the  US.  Send  resume 
&  cover  letter  documenting 
minimum  qualifications  to:  Behura 
Somdutt,  Manager,  Career  & 
Consulting  Services,  6250  West- 
park  Drive,  Suite  325,  Houston, 
TX  77057,  EEO. 


National  Instruments  Corp., 
based  in  Austin,  TX  is  currently 
seeking  to  fill  multiple  positions 
in  the  following: 

Software  Engineers 
Research,  dsgn  &  dvlp  s/ware  in 
mainly  C/C++  using  OO  dsgn  & 
s/ware  dsgn  principles.  Must  have 
Bachelors  in  Engg,  or  Comp  Sci, 
Physics  or  Math.  CODE:  CWSW 

Computer  Hardware  Design 
Engineers 

Research,  dvlp  &  manage  pro¬ 
jects  in  data  acquisition,  signal 
conditioning,  industrial  commu¬ 
nication,  instrument  Ctrl,  image 
acquisition,  embedded  controllers 
&  ASIC  prdcts  using  dsgn  tech¬ 
niques  in  analog  &  digital  circuit 
dsgn,  comp  architecture,  com¬ 
munication  bus  interfacing  &  digital 
signal  processing.  Must  have 
Bachelors  in  Engg,  Comp  Sci, 
Physics  or  Math.  CODE:  CWHW 

Programmer/Analysts  (Business 
Processes) 

Plan,  analyze,  dsgn,  dvlp  &  test 
s/ware  using  Oracle,  Lotus 
Notes,  Web;  use  GUI  &  object- 
oriented  dsgn  to  dvlp  user  inter¬ 
faces  &  data  entry  screens  that 
support  business  functions.  Must 
have  Bachelor's  in  Info  Sys, 
Comp  Sci  or  Business  Admin. 
CODE:  CWPA 

Fax  resumes  to:  HR  Department 
at  51 2-683-6924.  Job  Code  must 
appear  on  resume. 


NE  OH  Software  Consulting  Co. 
seeks  SAP  Consultant  for  devel¬ 
opment  programming  in  client/serv¬ 
er  computing  environments;  data 
conversion,  enhancement  develop¬ 
ment,  configuration  analysis,  re¬ 
vising  systems  in  conjunction 
with  customer  requirements; 
analysis  and  programming  of 
user  requirements  and  recom¬ 
mendation  of  best  alternatives; 
detailing  SAP  ABAP/4  module 
requirements  for  programming  of 
the  existing  SAP  package;  trans¬ 
lating  customer  requirements 
into  codes  and  descriptions  for 
entry  into  SAP  ABAP/4  parame¬ 
ters;  integrating  programs  to 
translate  user  requirements  into 
specific  applications  software  of 
the  SAP  module,  utilizing  the 
specialized  package  develop¬ 
ment  software  (ABAP/4);  pro¬ 
gramming  and  testing  program 
for  errors.  Min  req.  Bachelor’s 
Degree  in  Comp.  Sci.  or  equiv. 
based  on  a  cred.  eval.  and  1  yr. 
In  job  or  job  related  exp.  in  SAP 
Business  Process  Software  Ver¬ 
sion  3.0e,  Oracle,  UNIX  system, 
SAP  ABAP/4  Version  3.0e  devel¬ 
opment  application  language. 
Travel  req.  Resumes  to  HR,  5800 
Landerbrook,  Mayfield  Hts.,  OH 
44124.  No  calls.  EOE 


Protech  Solutions,  Inc.  Delivers 
Innovative  IT  solutions  to 
business  clients  nationwide.  We 
have  immediate  full  time 
opportunities  for  Programmers, 
Engineering  Programmers, 
Programmer  Analyst,  Systems 
Analyst,  Software  Engineers. 
DBA's,  Consultants  and 
Software  Consultants  in  any  of 
the  following  areas: 
LAN/ANEnterprise  NW,  MS 
Exchange,  Web  Server, 
Terminal  Servers,  Desktop 
Deployment,  Software 
Distribution,  Visual  Studio,  Java, 
C++,  Oracle.  Dev  2000,  MTS, 
MSMQ,  DCOM,  Active  X,  SQL. 
DBA,  MCSD,  OCP,  HTML.SCJP, 
DHTML,  XML,  ASP,  XSL.CSS, 
MCD.  COBOL,  CICS.DB2, 
IMS.VSAM.TCL,  PL/1,  DBA, 
S/370, ES  9000.ADABAS, 
Natural,  ERP  Systems, 
SAP,  Peoplesoft, Bachelor's 
/Master's  Degree  required, 
depending  on  position.  We 
also  accept  the  foreign 
educational  equivalent  of 
the  degree,  or  the  degree 
equivalent  in  education  and 
experience.  Excellent  benefits. 
Send  resume/salary  req.  to:  HR, 
Protech  Solutions,  Inc. 
124  W.  Capitol,  Suite  550,  Little 
Rock,  AR,  72201  or 
HR@protechsoft.oom 


Computer  Programmer,  Roswell, 
GA,  Info-One,  Create  code  in 
VB,  VBA,  Access,  Crystal  Reports, 
Access  97/2000  and  Sequel 
Server  7/2000  languages  to 
develop,  design  and  maintain  the 
VTR  Plus  software  and  en¬ 
hancements  for  data  collection. 
Reqs.  BA  in  Comp.  Science, 
Eng.  or  Info.  Tech.  &  2  yrs  exp.  in 
the  pos.  offered  or  as  Dvlp.  or 
Data/Software  Researcher.  The 
2  yrs  reqd  exp.  must  incl.  creating, 
testing  &  preparing  code  for 
production,  as  well  as  converting 
specs  into  code  in  order  to  perform 
enhancements  for  Visual  Basic/ 
Access/Sequal  server  products. 
The  2  yrs  exp.  must  have  incl. 
work  w/Sequal  Server  in  a  Win¬ 
dows  envir.  utilizing  SQL,  HTML, 
ASP,  JAVA  Script,  VB  Script, 
VBA,  Crystal  Reports,  Access, 
Excel,  Windows  NT.  Send  resume 
&  cvr.  letter  to  Mr.  David  Hun- 
singer,  Info-One,  37  Magnolia 
Street,  2th  Floor,  Roswell,  GA 
30075.  No  phone  calls. 


SYSTEM  ANALYST.  Analyzes 
user  requirements  procedures, 
and  problems  to  automate  pro¬ 
cessing  or  to  improve  existing 
computer  systems.  Bachelor  of 
Science  in  Computer  Science, 
Engineering  or  math-related  and 
2  years  experience  required.  2 
years  experience  with  MOVEX 
required. 

Apply  by  resume  to  Mike  Holliman, 
VP  Human  Resources,  Augusta 
Sportswear,  Inc.,  P.  O.  Box  1 4939, 
Augusta,  Georgia  30919-0939. 


Stanford  Technology  Partners  Inc. 
is  a  California  based  Information 
Technology  consulting  company 
with  its  offices  across  the  USA. 
We  seek  a  Director  of  Business 
Development.  Responsibilities 
include  overall  responsibility  for  the 
management  and  development 
of  the  IT  consulting  business,  de¬ 
veloping  new  clients  and  busi¬ 
ness  opportunities  for  the  IT  con¬ 
sulting  business.  This  position  is 
located  in  Framingham,  MA. 

If  interested,  please  send  resume 
to:  Stanford  Technology  Partners 
Incorporation,  849  Erie  Circle, 
Milpitas,  CA  95035  Fax:  (508) 
519-5689 

e-mail:  recruiter@stpincusa.com 


Systems  Analyst;  8a-5p  40  hrs 
/wk;  Analyze,  design,  develop, 
program,  implement,  test  & 
maintain  software  applications 
based  on  user  reqmts  using  C, 
Oracle  7,  Dev.  2000  &  Novell 
Netware  3.1;  Bachelors  or  equiv. 
foreign  degree  in  Computer  Sc. 
or  Engg.  or  Tech;  Computer  Info 
Sys;  Electronics  or  Electrical 
or  other  related  branch  of  Engi¬ 
neering.  One  year  experience  in 
job  offered  or  related  occupation 
of  Programmer  Analyst,  Applica¬ 
tion  Developer  or  Software  con¬ 
sultant  or  professional.  Resume 
to:  Axiom  Systems,  Inc.  2550 
Northwinds  Pkwy.,  Suite  440, 
Alpharetta,  GA  30004. 


Programmer/Analyst,  Min.  Bach¬ 
elor's  in  Computers/related  field, 
2yrs  exp.  in  similar  position.  Assist 
in  feasibility  studies  and  in 
determining  functional  specifica¬ 
tions;  design  develop,  configure, 
and  code  applications,  computer 
systems  and  subsystems.  40 
hrs/wk,  9AM-5PM.  Competitive 
salary.  Send  resume  to:  Yellow 
Pages-Web  Com  LLC,  2818 
Everwood  Pointe,  Marietta,  GA 
30008. 


Systems  Analyst  (Trumbull.  CT)- 
perform  complex  computer  sys¬ 
tems  analysis,  software  problem 
diagnosis,  resolution,  measure¬ 
ment  and  tuning  to  optimize 
online  system,  upgrade  computer 
information  systems  infrastructure. 
Req.  4  yrs  exp  in  the  job,  M-F, 
9-5:30,  salary  depends  on  expe¬ 
rience.  Pis.  send  resume  to  HR 
Manager.  The  NASDAQ  Stock 
Market,  80  Merritt  Blvd,  Trumbull, 
CT  061 1 ,  orfax  to  (203)  385-4698. 
EOE 


Technical  Support  Specialist. 
8:00  a.m.  to  5:00  p.m.  40  hours 
per  week.  Analyze  project; 
assign  and  coordinate  work 
schedules;  review,  test  program 
for  compatibility;  troubleshoot 
and  provide  technical  support 
/updates  using  VisualBasic, 
ActiveX,  DHTML,  ASP,  Java, 
Oracle  and  Windows  NT,  Windows 
2000.  Educational  Requirement: 
Bachelors  or  equivalent  degree 
in  Computer  Science/Engineering, 
Information  Technology,  Electrical, 
Electronics  or  related  Engineering. 
Resume  to:  Spark  Technologies, 
Inc.,  7001  Peachtree  Indus. 
Blvd.,  Suite  446,  Norcross,  GA 
30092. 


Software  Engineer  (Norcross,  GA): 
Develop  applications  to  conduct 
stock  market  research  in  NT  & 
UNIX  platforms.  Work  w/  OO 
technology,  C++(COM),  Visual 
Basic,  Java  AWT/Swing,  Java 
Applet/  Servlets,  SQL,  Microsoft 
IIS,  Apache  Server.  Req.  M  Sc. 
in  C.S.  or  its  foreign  degree 
equivalent  +  1  yr  exp.  in  job 
offered.  Resume  to  VP,  Compu- 
trade  Systems,  3500  Pkwy  Lane, 
Ste  420,  Norcross,  GA  30092 


Software  Engineer  (Atlanta,  GA): 
Design  &  develop  web-based 
software  applications  and  B2B 
exchanges.  Design,  develop  & 
maintain  Enterprise  Software 
Systems  &  innovative  E-Com- 
merce  solutions  using  JSP,  Java 
Script,  VBScript,  ActiveX,  ASP, 
Site  Server,  DHTML,  IIS,  Vitria 
Businessware,  Java/J2EE,  XML 
/XSL,  COM/DCOM,  Weblogic, 
JMS.  Req.  B.Sc.  or  its  foreign 
degree  equivalent  in  C.  Sc., 
Electronics  Engg.  or  other  engi¬ 
neering  field  +  2yr.  exp.  in  job 
offered.  Resume  to:  Human 
Resources;  job  code  CWDB87, 
Cbeyond  Communications,  320 
Interstate  North  Pkwy,  SE,  Ste 
300,  Atlanta,  GA  30339 


Sr.  Business  Syst.  Analyst  -  SAP. 
Prepare,  evaluate,  develop,  con¬ 
figure,  maintain,  &  support  SAP- 
based  IS,  inc.  project  planning, 
requirement  anal.,  gap  anal., 
process  redesign.  Design,  con¬ 
figure  &  dev.  FI/CO,  SD,  MM 
SAP  Modules  &  integration  w/ 
FI/CO.  Write  tech,  specs  for 
programs,  Function  Modules, 
BAPI,  interfaces,  data  conver¬ 
sions,  &  reporting.  Design  & 
develop  CATT  Procedures, 
Report  Painter  &  ABAP  Query. 
B.S.  or  equiv.  in  MIS  or  related, 
w /  business  orientation,  +  2  yrs. 
experience  &  fluent  SAP  R/3 
&  relevant  Modules.  Send  resume 
to  VP,  HR,  En  Pointe  Technologies, 
1 00  N.  Sepulveda  Blvd,  1 9th  FI., 
El  Segundo.  CA  90245 


Call  your 
ITcareers  Sales 
Representative 
or  Janis  Crowley 

1-800-762-2977 
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But  magnetic  stripes 
are  still  alive;  smart 
cards  on  the  horizon 

BY  PATRICK  THIBODEAU 

WASHINGTON 

Companies  that  want  to  scan 
driver’s  licenses  to  authenticate 
customer  identities  face  the 
prospect  of  having  to  deal  with 
three  different  technologies. 

Various  states  are  already 
taking  different  directions,  and 
Congress  could  also  influence 
the  choice  of  scanning  tech¬ 
nologies.  The  bottom  line:  A 
business  can’t  be  assured  that 
the  driver’s  license  scanning 
technology  it  picks  will  be  the 
right  choice. 


About  45  states  use  magnetic 
stripes,  bar  codes  or  both  tech¬ 
nologies  on  the  same  card. 

But  there’s  a  move  in  Con¬ 
gress  to  increase  the  security 
of  driver’s  licenses  with  bio¬ 
metric  technology.  With  time 
running  out  in  this  session, 
however,  lawmakers  aren’t  ex¬ 
pected  to  act  this  year  on  a  bill 
that  would  allocate  $300  mil¬ 
lion  to  states  deploying  bio¬ 
metric-equipped  smart-card 
driver’s  licenses. 

Despite  the  absence  of  fed¬ 
eral  action,  there  are  nonethe¬ 
less  clear  technology  trends 
among  states. 

Two-dimensional  bar  codes 
are  gaining  ground  over  mag¬ 
netic  stripes,  with  37  states  us¬ 
ing  them,  according  to  the 
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American  Association  of  Mo¬ 
tor  Vehicle  Administrators  in 
Arlington,  Va.  Twenty  states 
use  magnetic  stripes,  but  some 
use  both  technologies. 

Advocates  of  2-D  technolo¬ 
gy,  such  as  Dennis  Nussbaum, 
a  top  official  in  Wisconsin’s  Di¬ 
vision  of  Motor  Vehicles,  say 
the  bar  codes  are  more  durable 
than  magnetic  stripes,  hold 
more  data  and  can  be  easily 
used  on  other  documents. 

Pennsylvania  last  year  added 
2-D  bar  codes  to  its  driver’s  li¬ 
censes  but  is  continuing  to  use 
magnetic  stripes  to  give  tech¬ 
nology  options  to  law  enforce¬ 
ment  agencies  and  retailers, 
said  Joan  Nissley,  a  spokes¬ 
woman  for  the  Pennsylvania 
Department  of  Transportation. 


Symbol  Technologies  Inc.  in 
Holtsville,  N.Y.,  developed  the 
2-D  technology  standard.  One 
of  the  attractions  of  2-D  bar 
codes  is  their  storage  capabili¬ 
ty;  each  can  hold  1,108  bytes  of 
data.  Magnetic  stripes  have  a 
maximum  capacity  of  210 
bytes.  With  the  likelihood  that 
states  will  move  to  biometric 
identifiers  —  possibly  as  a  re¬ 
sult  of  a  federal  law  — 
2-D  bar  codes  might  be  more 
appealing  because  of  their 
storage  capacity. 

But  the  magnetic  stripe  may 
not  be  out  of  the  running. 

MagTek  Inc.  in  Carson, 
Calif.,  has  developed  a  higher- 
density  standard  for  magnetic 
stripes  that  would  increase  ca¬ 
pacity  to  1,836  bytes.  The  stan¬ 
dard  has  already  been  submit¬ 
ted  to  various  approval  bodies. 

Kiran  Gandhi,  vice  president 
of  marketing  at  MagTek,  said 
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the  appeal  of  magnetic  stripes 
is  that  most  businesses  have 
readers  for  them. 

Magnetic  stripes  put  data  on 
three  tracks;  the  data  business¬ 
es  scan  is  on  Tracks  1  and  2. 
The  high-density  standard 
uses  six  tracks,  and  a  new  read¬ 
er  would  be  needed  to  access 
that  data,  but  the  first  two 
tracks  would  be  backward- 
compatible,  said  Gandhi. 

A  smart  card,  which  con¬ 
tains  a  microprocessor,  can 
hold  up  to  64,000  bytes  of  data 
and  can  offer  high  security,  as 
well  as  storage  for  many  other 
applications,  such  as  health 
and  motor  vehicle  insurance. 
But  states  say  the  technology 
would  cost  millions  to  deploy 
and  would  take  a  push  in  Con¬ 
gress  for  funding,  said  Randy 
Vanderhoof,  CEO  of  Smart 
Card  Alliance  Inc.  in  Princeton 
Junction,  N.J.  I 


More  Homeland  Security  Players 


Continued  from  page  1 

War  on  Terror 

Inc.  and  Xerox  Corp.,  to  name 
just  a  few.  All  of  these  compa¬ 
nies,  and  dozens  more,  are  ac¬ 
tively  pursuing  the  homeland 
security  market. 

“Government  has  not  had  a 
shortage  of  security-related 
data  and  information,”  said  Jeff 
Bedell,  chief  technology  offi¬ 
cer  at  MicroStrategy,  a  busi¬ 
ness  intelligence  software  ven¬ 
dor  in  McLean,  Va.  “Its  funda¬ 
mental  problem  has  been  in 


Corrections 

IN  A  JULY  8  STORY  about  IT 
in  the  construction  industry,  the 
location  of  Framework  Tech¬ 
nologies  Corp.  was  incorrect. 
The  software  company  is  locat¬ 
ed  in  Burlington,  Mass. 

Also  in  that  issue,  our  page 
6  story  on  the  launch  of  the  Ita¬ 
nium  2  misidentified  an  analyst 
at  The  Sageza  6roup  Inc.  His 
name  is  Charles  King. 


making  sense  of  the  data,  in 
drawing  links  between  all  the 
disparate  sources  of  the  data. 
Those  weaknesses  can  be  di¬ 
rectly  addressed  by  the 
strengths  of  business  intelli¬ 
gence  software.” 

Major  Players 

Last  month,  IBM  Global  Ser¬ 
vices  unveiled  five  technology 
suites  designed  specifically  “to 
address  broader  and  emerging 
safety  and  security  issues  in  in¬ 
dustry,  global  commerce  and 
society,”  said  Rusine  Mitchell- 
Sinclair,  general  manager  at 
IBM  Global  Services’  safety 
and  security  practice. 

At  its  Institute  for  Electronic 
Government  in  Washington, 
IBM  showcased  mobile  com¬ 
munications  network  tech¬ 
nologies  for  emergency  re¬ 
sponders,  biometric  authenti¬ 
cation  systems,  integrated 
physical  and  cybermonitoring 
systems,  and  wearable  PCs  for 
emergency  first  responders. 

Stamford,  Conn.-based  Xe¬ 
rox  is  working  with  the  LBI  to 
conduct  “knowledge  assess¬ 
ments”  to  identify  where  the 
agency’s  corporate  knowledge 


Art  Technology  Group  Inc. 

*  Cambridge,  Mass.-based  devel¬ 
oper  of  online  customer  relation¬ 
ship  management  (CRM)  tools. 

si  Started  a  pilot  program  with  the 
Agriculture  Department  that  uses 
ATG’s  Commerce  Suite  to  send 
food-related  emergency  alerts  to 
school  districts. 

exists  and  the  best  way  to  com¬ 
municate  and  share  that  data 
securely,  said  Jim  Joyce,  presi¬ 
dent  of  Xerox  Connect. 

Xerox  has  developed  several 
technologies  applicable  to  the 
broader  homeland  security  ef¬ 
fort,  said  Joyce,  including  data 
glyphs  that  can  be  embedded 
in  paper  documents  as  track¬ 
ing  devices  and  ContentGuard 
software  that  lets  companies 
track  who  accesses  what  infor¬ 
mation  on  their  Web  pages. 

Meanwhile,  Symbol  is  pro¬ 
viding  a  bar  code  reader  that 
the  U.S.  Department  of  State 
uses  to  conduct  physical  secu¬ 
rity  checks  abroad,  said  Tom 
Roslak,  vice  president  of  secu¬ 
rity  at  Holtsville,  N.Y.-based 


Ascential  Software  Corp. 

m  Westboro,  Mass.-based  data  integra¬ 
tion  and  data  cleansing  firm. 

«  Considers  the  process  of  integrating 
and  cleaning  data  for  use  in  CRM,  ERP, 
business  intelligence  and  e-business  ap¬ 
plications  to  be  a  metaphor  for  what  fed¬ 
eral  agencies  could  be  doing  for 
homeland  security  and  defense. 

Symbol.  The  bar  codes  are 
strategically  placed  around  fa¬ 
cilities.  Security  guards  then 
scan  them  with  a  handheld  de¬ 
vice  that  verifies  that  the 
checks  were  conducted  at  the 
proper  time  and  place. 

Companies  such  as  Fairfax, 
Va.-based  American  Manage¬ 
ment  Systems,  known  best  for 
its  systems  integration  work  in 
the  financial  services  sector, 
and  database  provider  Oracle 
have  gone  one  step  further 
than  most  by  institutionalizing 
homeland  security  into  their 
corporate  structure.  For  exam¬ 
ple,  AMS  established  a  Home¬ 
land  Security  Lab,  where  re¬ 
search  is  being  conducted  in 
link  analysis,  identity  verifica- 


Datastrip  Inc. 

he  Exton,  Pa.-based  provider  of  se¬ 
cure  high-density  2-D  bar-code 
software  and  hardware. 

a  Focusing  on  applying  its  tech¬ 
nology  to  the  federal  effort  to 
create  a  tamper-resistant  entry 
and  exit  border-protection  system. 


tion,  hazardous  materials  man¬ 
agement  and  other  areas. 

Likewise,  Oracle  has  added 
homeland  security  solutions  to 
the  title  of  Steve  Perkins,  se¬ 
nior  vice  president  of  Oracle 
Public  Sector.  Perkins  said  the 
full  line  of  Oracle  applications 
will  be  positioned  to  help  the 
“Department  of  Homeland  Se¬ 
curity  consolidate  its  opera¬ 
tions,  much  like  a  corporate 
merger,  to  work  more  effi¬ 
ciently.”  I 


SECURITY  MARKET  Q&A 

Five  top  executives  from  IT  vendor 
companies  offer  their  perspectives  of  the 
homeland  security  market. 
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Let  Users  Swat  Bugs 

OOPS.  Two  weeks  ago  in  this  space,  I  wrote  about  the 
importance  of  reducing  errors  in  software  and  report¬ 
ed  that  U.S.  software  users  could  save  $22.2  billion  in 
lost  productivity  if  software  developers  made  “feasible 
improvements”  in  software  testing  to  get  rid  of  more 
bugs,  according  to  the  U.S.  government’s  National  Institute  of  Stan¬ 
dards  and  Technology. 

Then,  a  little  later  in  the  column,  I  referred  to  exactly  the  same 
amount  as  $22.2  million. 

Hey,  I  didn’t  say  getting  rid  of  errors  is  easy. 


For  the  record,  the  correct  number  is  $22.2 
billion.  And  most  readers  were  apparently  able 
to  develop  their  own  work-around  for  this  in¬ 
formational  bug  so  they  could  continue  reading 
the  column. 

But  the  fact  remains  that  a  spectacularly  obvi¬ 
ous,  thoroughly  preventable  error  got  through 
several  layers  of  QA.  (in  the  newspaper  busi¬ 
ness,  it’s  called  “editing”)  and  was  spotted  only 
by  users  —  er,  readers  —  who  helpfully  report¬ 
ed  the  problem  so  it  could  be  corrected. 

Conclusions?  Blowhard  columnists  are  just  as 
error-prone  as  programmers.  And  QA  can  help, 
but  we  can’t  count  on  it  to  catch  all  errors  — 
even  the  obvious  ones.  And  most  important, 
when  it  comes  to  finding  and  correcting  bugs, 
users  are  our  friends. 

Or  at  least  they  should  be.  And  not  just  after 
code  (or  a  column)  is  out  the  door. 

We  should  put  users  in  the  loop  from  the  very 
beginning  —  and  keep  them  there,  all  the  way 
through. 

After  all,  users  know  their  jobs.  They  know 
how  applications  will  be  used.  They  know  what 
they  need  in  order  to  do  business.  Requirements 
and  specifications  and  wish  lists  are  just  a  thin, 
pale  abstraction  of  what  software  is 
supposed  to  do.  Users  can  give  you 
the  real  thing  —  in  real  time. 

We  all  know  that  the  best  time  to 
find  bugs,  errors  in  design  and  just 
plain  boneheaded  ideas  is  as  early 
as  possible,  when  they’re  easiest  to 
fix.  Which  means  the  earlier  we 
connect  users  with  code,  the  more 
they  can  help  us.  The  more  mock- 
ups,  prototypes  and  early  versions 
we  run  past  users,  the  more  likely 
they  will  be  to  point  out  the  things 
that  don’t  work  before  they’re  hard 
to  change. 


Users  can  tell  us  which  features  really  matter 
and  which  ones  are  window  dressing.  They  can 
identify  which  requirements  are  changing  and 
which  ones  are  likely  to,  and  in  what  direction. 
They  can  clarify  how  business  processes  actual¬ 
ly  work,  what  screens  and  data  they’ll  actually 
use  and  where  the  biggest  annoyances  show  up. 

And  if  we  keep  showing  them  what  our  appli¬ 
cation  looks  like  and  keep  picking  their  brains 
for  what’s  right  and  what’s  wrong  with  it,  we’ll 
get  a  continuous  stream  of  the  best  available  in¬ 
formation  on  how  our  software  matches  up 
with  their  needs. 

Does  that  sound  like  a  lot  of  extra  work?  Sure 
it  does.  But  it’s  not  as  much  work  for  us  as  hav¬ 
ing  to  change  code  later  in  the  process.  And  it’s 
not  as  much  work  for  users  as  using  some  con¬ 
voluted  work-around  to  deal  with  bugs  or  de¬ 
sign  flaws  that  could  have  been  fixed  early  on. 

Of  course,  users  aren’t  a  replacement  for 
careful  programming  or  code  reviews  or  use  of 
modern  software  development  techniques. 
Users  won’t  spot  poorly  structured  code  or  mis¬ 
used  libraries,  and  they  probably  won’t  find 
buffers  that  can  overflow  or  memory  leaks  that 
crash  the  application  after  many  hours  of  use. 

But  they’ve  got  a  vested  interest 
in  getting  software  that  works.  And 
when  they’ve  had  a  chance  to  help 
guide  that  software’s  development, 
they’re  more  likely  to  give  useful 
feedback  and  bug  reports  if  the  fin¬ 
ished  product  has  problems  —  and 
less  likely  to  just  swear  at  those 
dweebs  in  the  IT  shop. 

So  figure  out  how  to  bring  your 
users  and  code  together,  early  and 
often.  Because  getting  rid  of  soft¬ 
ware  errors  isn’t  easy.  And  to  get  our 
share  of  that  $22.2  mill  —  er,  billion, 
we  need  all  the  help  we  can  get.  > 


frank  hayes.  Computer- 
world's  senior  news  colum¬ 
nist,  has  covered  IT  for  more 
than  20  years.  Contact  him  at 

frank_hayes@computerworld.com. 


USER  COMPLAINS  that  her 
PC’s  monitor  is  slowly  dying.  “It 
gets  dimmer  and  dimmer  as  the 
day  wears  on  and  then,  after  a 
night  of  rest,  is  a  bit  brighter,” 
she  tells  support  pilot  fish.  Fish’s 
diagnosis:  “As  the  sun  comes 
over  your  shoulder  during  the 
day,  it’s  washing  out  your  screen. 
In  the  morning,  it’s  dark  enough 
to  be  readable.”  His  prescription: 
“Try  turning  your  desk  around.” 

THIS  PANICKED  user’s  digital 
camera  has  a  problem,  she  tells 
IT  pilot  fish.  The  camera’s  floppy 
disk  drive  keeps  spinning  and 
makes  an  awful  noise  even  with¬ 
out  a  disk  inserted,  and  the  off 
switch  isn't  working.  “I  don’t 
want  to  send  it  over  to  you  with  it 
continuously  running,  because 
that  might  cause  more  damage,” 
she  says.  Fish  says,  “I  suggested 
she  remove  the  battery  and  send 
it  over.  Sometimes  the  simple 
solutions  escape  us.” 

IT  PILOT  fish  is  installing  a  spe¬ 
cialized  software  package  and 
carefully  follows  the  manual’s  in¬ 
structions.  But  at  one  point,  he 
enters  the  command  as  shown 
in  the  manual  and  gets  back  the 
response  “Denied.”  He  pores 
over  the  manual  to  find  what  he’s 
done  wrong,  but  he  keeps  get¬ 
ting  “Denied.”  Fish  calls  the  ven¬ 
dor’s  local  support  rep,  but  after 
two  days  he  can’t  get  past  “De¬ 
nied”  either,  so  he  turns  fish  over 
to  tech  support  guru  in  Germany. 


Fish  walks  through  what  he’s 
done.  “Then,”  he  says,  "the  re¬ 
sponse  I  got  was  ‘Denied.’  ” 
“Yes,”  says  guru.  “That’s  the  nor¬ 
mal  response.”  After  a  long 
pause,  he  adds,  “Maybe  we 
should  put  that  in  the  manual.” 

IT  TAKES  a  while,  but  pilot  fish 
finally  fixes  all  the  problems  that 
crop  up  on  his  laptop  after  a  net¬ 
work  upgrade.  Then  he  reboots 
-  and  that  takes  a  very  long 
while,  so  he  calls  in  a  help  desk 
wizard.  Wizard  watches  fish’s 
log-on  script  execute  at  the  rate 
of  one  line  per  minute,  then  de¬ 
livers  his  suggestion:  “Don’t  ever 
turn  your  computer  off  and 
everything  should  be  fine.” 

THIS  AIRLINE  ticket  office  in 
Pittsburgh  really  needs  a  color 
printer  for  printing  out  graphs 
and  reports  in  color,  says  pilot 
fish  working  there.  But  cheap¬ 
skate  boss  comes  up  with  a,  urn, 
“better”  solution:  Since  the  office 
in  Charlotte  already  has  a  color 
printer,  he  says,  just  send  them 
the  file  electronically,  so  they  can 
print  it  out  in  color  -  then  they 
can  fax  it  back  to  Pittsburgh. 
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